Microsoft Makes Password Failure Lockout a Default in RDP; HHS Threat Briefing Focuses on Web App Security; Patch Your FileWave MDM Software

Nice move by Microsoft. RDP has been called "Ransomware Deployment Protocol" for a reason. Sadly, it is still widely deployed without sufficient controls and Microsoft's move will make it slightly less likely for a carelessly deployed system to be compromised.

Johannes Ullrich

Two security policies that have been common requirements that have been too often ignored or bypassed are lockout after failed attempts and requiring MFA on all remote access. Microsoft turning on lockout by default for RDP is a good thing, but turning on MFA for RDP obviates the need for lockout and stops more than just brute force attacks.

John Pescatore

Account lockout is excellent, and you should enable it on all platforms which support it. Now go make sure that any internet facing RDP requires MFA, and is sufficiently monitored and otherwise secured to withstand malfeasance.

Lee Neely

It is good to see a vendor like Microsoft making security by default the standard setting in its newer products. It has been a long time coming and I hope we see this initiative spread to many other settings and products, not just those offered by Microsoft but for other vendors too.

Brian Honan

This control is not disruptive and might well be enabled by default.

William Hugh Murray

Teaching web application security for a few years now, I am always surprised by the lack of awareness around common web application security threats. This isn't just a healthcare problem, and we have to stop looking at it as a software/developer issue. Security teams not understanding web logs and how to recognize common attacks are as much part of the problem as missing SBOMs and developers not understanding the risks of dom based XSS.

Johannes Ullrich

Even if you're not in the healthcare sector, read the HHS PDF below. The mitigations and protections should not come as a surprise - what may surprise you is where you're not doing them. Make sure your WAF is not in learning mode, but actively blocking attacks, login services should employ MFA, with monitoring as well as impossible access scenario detection and prevention. Make sure that your testing development requires issues found to be addressed, not merely noted.

Lee Neely

This isn’t really guidance, it is a threat briefing from the HHS HC3 – a good basic presentation about web app security threats and controls but unfortunately no raising of the regulatory bar to force movement. It does include a nice list of web app security requirements from the HHS Cybersecurity Practices program that map to about 40 NIST Framework controls. If you are trying to justify increasing app security in 2023, use that as a checklist to point out compliance gaps.

John Pescatore

Web apps. Again. A good old web application vulnerability in a piece of "security" software. No cloud involved here, just a good old web application vulnerability that is so boring that we rather have it than spend the time learning how to do authorization properly.

Johannes Ullrich

Don't think MDM only impacts my smartphone fleet. MDM's are managing Windows & Mac Laptops, as well as your iPhones/iPads/Android Tablets and smart phones. The exploit provides privileged access to a FileWave MDM, allowing for modifications across your fleet managed devices. As such, you want to roll out the fixed version. You're going to need to update all your components - servers, boosters, imaging, admin and client platform. The good news is it's a series of simple package updates.

Lee Neely

Too late. It’s probably already compromised if you had it exposed to the world. But that was probably just a honeypot anyway (at least it is now).

Johannes Ullrich

The hard coded password for the "disabledsystemuser" account has been published. Make sure you've deleted that account, and you monitor for it being recreated. This is a system account, so even if you remove the Atlassian product, the account remains. And yeah, apply the patches to your Atlassian products immediately.

Lee Neely

Long gone are the days of moving the jumper or dip switch to permit firmware updates. As such you were making sure the updates were pushed from verified sources. This malware appears to be an update performed on an already otherwise compromised system. Once installed the firmware includes the CSMCORE DXE driver which enables a legacy boot process, adding accounts to the OS along the way. The killer is that you cannot just re-install/replace the drive to eliminate UEFI firmware implants. If you're lucky you can install known good firmware, but odds are you're in a physical hardware replacement scenario.

Lee Neely

The likelihood of exploit can be reduced by deploying a WAF, but the right way to fix this is to deploy the update. Then look at how a WAF could help with this and other applications.

Lee Neely

It is disappointing in the extreme that in 2022 we see a security vendor having to address a SQL Injection vulnerability in their product suite.

Brian Honan

See my comment about the FileWave issue.

Johannes Ullrich

Two comments: (1) The “flexibility” added is largely by TSA changing to a “tell us what you will do and then we will audit to make sure you do what you say” approach which usually sets a very low bar for security. Good news is TSA has mandatory requirements for what must be included that cover the important basic hygiene elements. (2) There is a deadline for operators to submit plans, but there did not appear to be a deadline around TSA review and approval. Does TSA have the staff or contractor to do meaningful review with timely turn-around?

John Pescatore

The initial version of the requirements, from July 2021, resulted in a flurry of 380 exception requests, an indication that this needed to be revisited. This is intended to be a more flexible framework to incorporate variances in environment and implementation. Operators have 21 days to submit a plan to implement the new requirements. Once approved, they are expected to actually implement them. Requirements include segmentation, MFA, incident response plans, auditing, and logging capabilities.

Lee Neely

These fines have been ramping up on a $/impacted user basis. Uber’s $148M fine in 2016 was $2.6/user, Equifax in 2017 as $4.29/user and T-Mobile’s fine for the 2021 breach is $6.49/user. The costs the breached companies paid outside of the fines is hard to define but typically in these mega breaches it is in $10 – 25/record exposed range – always more than the fine. The fines are useful to show CXOs and boards – in the vast majority of breaches, the cost of fines alone is much higher than what it would have cost to avoid or minimize the incident.

John Pescatore

If the settlement is split equally among the 77 million customers, they get about $5 each. T-Mobile is partnering with Mandiant, Accenture and KPMG to improve their cybersecurity posture and conducting about 900,000 training courses for employees and partners. As this 2021 incident is the fifth publicly acknowledged security breach in four years, it'll be interesting to see how effective these measures are.

Lee Neely

The breach was due to attackers obtaining an access key which allowed them access to Uber's databases of users and drivers. the information for 50 million users and 7 million drivers was exposed. Uber not only paid a ransom, but also around $148 million in settlements of civil litigation. The lesson here is to report incidents as required.

Lee Neely

All CSOs should watch this case very carefully to see what legal liability their role could be exposed to by decisions made when dealing with a breach.

Brian Honan