Ransomware Payment Recovery Never Covers the Cost of the Incident; PyPi Raises Security with 2FA Requirement; Windows Autopatch Released

The obvious reaction from most NewsBites readers is, of course, “No Duh” or whatever the 2022 equivalent of that is. But, important to get across to management that no insurance payment, let alone any recovery of damages through legal means, ever covers the full cost of an incident and more importantly: the cost of avoiding most incidents is almost always less than the cost of suffering the incident.

John Pescatore

The volatility of cryptocurrency worked in their favor this time. While it's awesome to recover the payment, and I would jump on it if the opportunity presented itself, don't assume recovering the ransom, including any increase in value, will come close to covering costs incurred to recover from an attack, particularly as some decryption programs provided by the attackers don't work leading to the most resource intensive recovery option.

Lee Neely

This is an important point that organizations should take into consideration when facing ransomware extortions, the cost of recovery is not just the ransom demand. It can also include the costs of replacing compromised devices, updating systems, dealing with forensic and other investigations, and so on. (Disclaimer: I am a guest lecturer at Maastricht University but had no involvement with this incident.)

Brian Honan

The push-back from developers is interesting, and a good lesson for anybody rolling out 2FA in larger organizations. Developers contributing to PyPI are probably less likely to experience technical issues implementing 2FA than most organizations, and these developers are likely more aware than most about some of the issues with password-based authentication. But still, the extra complexity of 2FA was enough for some of them to rebel/refuse to participate.

Johannes Ullrich

It’s 2022. How have the other library management systems survived this long without requiring multi-factor? Having not been extremely into every library management system like this, it does make you question what the other managers are doing. Is this an oversight? Have threat actors been in these systems for years without tipping us off?

Moses Frost

Good to see all the momentum and minimal (but not zero) pushback for stronger authentication in the software supply chain. Now is a good time to do a prototype test of 2FA within your organization, maybe just the security group and some security friendly IT admins. Find the trouble areas (there will be some) and develop, and get approved, plans for some level of 2023 rollout.

John Pescatore

Nice move to incentivize the adoption of 2FA! Before you get too excited, note that the Titan keys are only authorized in Austria, Belgium, Canada, France, Germany, Japan, Spain, Switzerland, United Kingdom, and the United States. Other areas need either a FIDO U2F key or enable 2FA through a mobile app such as Google Authenticator, MS Authenticator, DUO Mobile, etc. Note that this simply prevents accounts being usurped by others, doesn't ensure the integrity of the users who have the 2FA tokens.

Lee Neely

Windows Autopatch is an interesting option for larger organizations to manage the risk of patching. Note that this is an option, and not replacing the patch Tuesday we know and love. But it offers for free what many organizations are already doing in some form.

Johannes Ullrich

Per many previous comments, try it out – most organizations will see minimal breakage and take one more step towards basic security hygiene.

John Pescatore

I would like to say “Yay, this is great," like Chrome Automatic Updates, but we have seen problematic patches in the past. Will we see an enterprise or two go down because of a botched patched like we say when Antivirus vendors accidentally quarantine critical system services? Curious to see how this will go.

Moses Frost

Make sure you understand how this applies to your business, as in what packages and license levels you need to enable the feature and is available both through as services from Microsoft to manage systems on a customer's behalf (Windows Autopatch) or as part of Windows Update for Business and the Windows Update for Business deployment services. Start with a test set of systems to determine the impact, versus your prior update mechanisms. Note that this is directed to end-users (commodity systems) rather than server systems, where application of the updates requires a much lower level of regression testing and has become SOP.

Lee Neely

This is part of the bill coming due as the health care world has moved (sloowly) to depending on and starting to realize the benefits of electronic health records. The Healthcare Information Portability and Accountability Act (HIPAA) in 1996 resulted in breach notification regulations giving 60 days for notifying impacted parties and HHS, obviously too long – very manual processes evolved from that. Tighter requirements would have driven the need to move away from manual, paper bound breach notification processes at least as fast as electronic health records moved.

John Pescatore

In incident response one of the most important things you can do is to learn from your own incidents, one of the other important things you can do is to learn from others’ security incidents. Hopefully, the HHS will provide feedback to individual organizations and sanitized feedback to others so that all organizations can improve their security from lessons learnt.

Brian Honan

Whether you're having vulnerabilities or breaches reported to you, timely response is required. Additionally, don't just file the information, make sure it is acted upon by qualified and empowered people. Without an effective response, those reporting are unlikely to continue to do so and may chose other ways of handling the information which may be far less desirable.

Lee Neely

The change was likely rolled back due to unintended business process impact. No matter what the source, users need to be trained to think twice, pause, and think again, before enabling macros in an Office document. Organizationally you can roll out the Microsoft Office group policy objects and enable the "Block macros from running in Office files from the Internet" policy setting. Note that a document's properties could then be updated (file, properties, and click unblock in the security section and hit apply) to remove the "mark of the web" and macros would then be enabled. Only do this for trusted content.

Lee Neely

The amount of chatter on Twitter and other social media over this is rather interesting. Many pen-testers and red team individuals are cheering and jeering at Microsoft’s decision to roll back. Cheering as Macros will still be somewhat available over the Office Ecosystem and Jeering because Microsoft had a chance to remove this vulnerability by default. What this will ultimately mean will be difficult to figure out, other than the “status quo” from here on out for the foreseeable future.

Moses Frost

Had to manage a similar problem in IBM some forty years ago. Changing the default (the right "security" decision) broke applications all around the world. One can only sympathize. Notice and publicity can only marginally mitigate the pain.

William Hugh Murray

The three cybersecurity recommendations are pretty high level, mostly focusing on risk assessment and management. Missing two key things: giving priority to achieving basic security hygiene in existing energy infrastructure and building security into evolving energy sources that are more distributed than the traditional infrastructure.

John Pescatore

Some of the recommendations, while timely, need funding to have the intended benefits, particularly for specialized areas where finding workers with relevant skills may be difficult without sufficient incentives.

Lee Neely

The hard part of improving grid security is changing the culture of the industry in which, the access of operators to those controls that they use to respond in real-time to component failures or imbalances between load and supply, trump cybersecurity and grid resilience.

William Hugh Murray

In order to come close to something like “zero trust” you first need strong authentication in use and IT and security operations meeting basic security hygiene requirements around configuration and vulnerability management, privilege management, etc. So, realistically any scoring system should be showing near zero for several fiscal years, no hurry.

John Pescatore

This appears to be about trusting users rather than systems and architectures, the hard part to see in real-time.

William Hugh Murray

SANS instructor Heather Mahalik, at the RSA Conference SANS New Threats and Attacks keynote panel, discussed why you need to look at the risks of “stalkerware” with Pegasus as the prime example. There is a need for intelligence community tools to track bad actors, really powerful stalkerware will always be used there and almost as powerful stalkerware will be used commercially, too – but done under the name of “marketing AI.” For really high value users, like CEO, CFO, board, etc. extraordinary protection will be required – see previous NewsBites comments on Apple’s LockDown feature coming for iPhones.

John Pescatore

Counterintelligence concerns and suggestions should be factored in as risks in your decision-making process. This doesn't mean you have to accept their recommendation; it means don't discount it without careful consideration. Additionally, there are financial consequences for disregarding DOC sanctions, such as blacklisting an entity. The point is to make an informed decision rather than being blindsided by unintended consequences.

Lee Neely

The DoD has over 200,000 suppliers – a rising tide for security in the Defense Industrial Base will raise the security level of all vendors. Great example was when NIST put out encryption standard FIPS 140-1 in 2001 or so, it enabled browser security and the ability to at least do SSL with meaningful encryption. But progress really started to happen a few years later when OMB or GAO required all browser procurements to only use FIPS compliant products -and private industry benefitted enormously.

John Pescatore

Supply chain security, to include single points of failure, and domestic vs foreign sources will continue to be on the radar for quite some time. Even if you're not in the defense space, we've all learned about the potential consequences of remote or non-redundant suppliers over the last two years. Identify where you have similar dependencies and make sure that you have a plan B & C.

Lee Neely