Free DHS Election Cybersecurity Toolkits Require Investment in Skills; Cisco Details on Errors That Enabled MFA Bypass Breach; US Needs Congress to Act on Assuring Critical Infrastructure Guidance Will Be Followed

While free toolkits are obviously lower in acquisition cost, they still require a level of cybersecurity skill to use for any purpose other than producing “fill the binder” documentation. For example, the first step in this process is to use the online Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission. The bad news: it asks the filler-outer to estimate risk at the Confidentiality/Integrity/Availability level with slider bars. All too often in the US election system, the person filling out this form will have no idea of what the risk level is and may not even understand those terms. The good news: the slider bars show curves for how election experts assessed the CIA risk and (at least on my browser) the default risk estimates are fairly high and clicking through maintains those defaults. The CISA focus on free tools unfortunately perpetuates the myth that additional spending on staffing and training by state and local is not required for election security – both are badly needed.

John Pescatore

When performing a self-assessment, one of the hardest parts is to be brutally honest about your current state, particularly if you're not used to this. Here is a case where peer review can help you. The Election Survey Risk Profile tool is ten pages of questions, with your answers driving added questions. Once you have an honest assessment, then the real work begins of addressing issues. CISA is leveraging the NIST Cybersecurity Framework, so there are plenty of resources and expertise to help you succeed.

Lee Neely

As the tool suggests, in order to be effective, much less efficient, security must be risk based. However, risk assessment requires knowledge, skill, ability, and experience. These are not likely to be found in many of the 8000 election jurisdictions. It is all too easy, indeed common, for the novice to confuse threat, vulnerability, or consequences for risk. An effective tool for such a population must provide a lot of guidance while being easy to use. It must not rest upon the ability of the user to do something that he is not equipped to do.

William Hugh Murray

This is another example of how complex attacks will be used to try to (and sometimes succeed in) bypassing multifactor authentication. Definitely read the Initial Vector section of the Talos report to see what the compromised user did wrong (multiple things) and look at your awareness training to see if you have this covered. Cisco has recently seemed to be in the news too often for vulnerabilities in their products (see ASA item in this Newsbites, for example) but over the years (going as far back as SQL Slammer in 2002) Cisco’s internal security has aggressively focused on maintaining the skills, processes and controls to reduce time to detect, respond, restore, etc.

John Pescatore

Thanks to Cisco for sharing the details to allow us to learn from Cisco's experience.

Johannes Ullrich

The higher we raise the bar on password-based authentication, the more we can expect users to use electronic means to store those credentials. Make sure that you have policy and training about storing and syncing company credentials using non-corporate mechanisms. At a minimum make sure that remote access requires MFA rather than reusable credentials. Ideally, all remote entry points, including endpoints, should require MFA.

Lee Neely

All too often an error by a single employee results in the compromise of the entire enterprise but it need not be so. “Zero Trust” architectures, or even network segmentation, can make the enterprise tolerant of the inevitable user error.

William Hugh Murray

The main issue with MSDT was the fact that it was directly exposed via Microsoft Office. This issue was fixed in an earlier update. However, the directory traversal/code execution issue remained. This has been fixed with this update.

Johannes Ullrich

While the number of issues seems large, 20 of these are Chromium-Edge and 32 are Azure Site Recovery. Also included in the patches are three critical Exchange server patches (CVE-2022-24477, CVE-2022-24516 and CVE-2022-21980) which need to be applied immediately. Fully fixing the issues requires enabling Windows Extended protection on Exchange Servers. Review the MS blog post on the Exchange Server Updates (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862) for more details. Revitalize your projects to move to hosted email servers wherever possible.

Lee Neely

Sharing information lately practiced by Cloudflare, Cisco and Twilio is a great resource to learn and improve. One common theme lately is that targeted attacks are exploiting a disconnect in how some multi factor authentication systems work, and how users perceive them. You should update your user awareness training to include these abuse cases.

Johannes Ullrich

This is a great example of what phishing-resistant MFA means. Hardware MFA, in this case using FIDO2-compliant key and implemented origin-binding, even with the captured credentials, the attacker couldn't get past the login prompt. That said, you need to make sure that your MFA is comprehensive, don't exclude system administrators, VIPs, etc. Where using SSO, make sure that users have to strongly authenticate to the endpoint, and that the endpoint is trusted, genuine, and meets or exceeds your required security posture

Lee Neely

Bitdefender gives kudos to the Device42 team for rapidly responding and working with them to make sure the issues are resolved. Make sure that your vulnerability disclosure team has a similar model, irrespective of the source reporting issues. Device42 version 18.01.00 addresses the four CVEs (CVE-2022-1399, CVE-2022-1400, CVE-2022-1401, and CVE-2022-1402). Given that Bitdefender has published their findings, it's time to make sure that version was deployed.

Lee Neely

While the attack took out the central payment systems, local stores were able to open by finding alternate solutions which worked locally. Make sure that your DR plan includes information on how to keep remote locations operating when central systems are offline. Consider not only the tactical immediate operational return, but also the long-term actions to reconcile information with those systems when they come back online.

Lee Neely

Make sure that users are staying on the current release of Office products, including subscription to (and application of) updates. Make sure you have written management support for minimum versions for users resistant to moving off treasured versions. Recovery from an incident related to running old versions quickly exceeds the cost of providing a license. Investigate Microsoft's home use program to facilitate users being on current versions for their non-work systems.

Lee Neely

The service provider is rebuilding services with updated security practices, to include increased monitoring, EDR, and increased segmentation/isolation. If you're going to rebuild everything, you may as well increase the security, and may be the only time you get management support to fully implement those changes. Beware that you're changing things and unknown interdependencies may add significant time to the recovery process as they are resolved. As a customer, be aware of your service provider's security posture. While we're used to making sure our data data is isolated and protected, we also need to ensure that protections are in place to stop lateral movement, all endpoints leverage EDR, are actively monitored, and have a clear understanding of their service restoration model and timeline.

Lee Neely

As the ASDM packages are not signed, use caution downloading to make sure you have legitimate copies, including the Java based launcher. It's also not verifying SSL certificates, so use caution to avoid MitM scenarios. At this time there is no auto-update, so make sure that you're checking periodically, and don't expose your ASDM services to the Internet. The good news is there are fixes for most of the ASA and FirePOWER Services you can deploy.

Lee Neely