Protect First, Then Convince Auditors; Don’t Assume Cyberinsurance Provides Liability Reduction Assurance; Take a Look at Microsoft Sysmon’s Security Features; Update and Relaunch Chrome Browsers

For most NewsBites readers, this is a “no duh” moment – even Navy CIO Weis says “We've got…15 to 20 years of track record using a compliance mentality that says it doesn't work…” Same issue in private industry over that period: the vast majority of credit card info breaches occurred at companies that had passed PCI DSS audits. The key is “protect the business/mission first, then convince auditors you are compliant” and the US DoD needs to focus on the obstacles impeding change. In civilian federal government, we’ve seen the Office of Inspectors General take initiative to add active testing (a la targeted threat hunting and pen testing) to their audits, vs. just data calls collecting reams of policy documents for compliance. Always most effective for security teams to do the right security things before the auditors do it!

John Pescatore

Well, this is a “water is wet” kind of story, and while it’s a bit embarrassing to hear senior technology leaders say that a compliance-driven mentality is wrong when the rest of the world has been saying the same thing for the past two decades, it is progress. If it moves the Navy in the direction of managing by risk instead of managing by compliance, it’s something we should applaud.

Mark Weatherford

Compliance, configuration of security to an accepted baseline and verifying it remains at or above that baseline is a starting point, not an end state. For many years now, I’ve been involved with audits of FISMA systems against published baselines. Those baselines have been suggesting active monitoring of technical controls for a few years now, and DHS’s CDM program is an example of active monitoring. The problem is you need more than big brother watching, you need your own assessment. About 15 years ago our FISMA audits started to include external pentests, and about ten years ago, the testing added internal testing, ultimately having the assessors gear live on our internal network. This is both scary and enlightening. Two excellent lessons here. First, don't wait for a regulator to find your deficiencies; use active means. Remember the auditors are of limited scope, you need a plan for *everything*. Second use a third party to compensate for your biases, question your accepted deficiencies.

Lee Neely

If compliance won't get us there, let's focus on what will. Asset inventories, identity management, and patching/vulnerability management all matter. We must also hire reputable penetration testers and give them network diagrams, inside access, and recent vulnerability scans.

Christopher Elgee

The one thing that concerns me here is that this report is even making the news, or that even a report like this has to be published.

Lance Spitzner

Definitely use this item to discuss with your Chief Legal Counsel CFO and/or Board of Directors. If your company just now looking at cyber insurance, a short tabletop exercise would be ideal. Most lawsuits like this seem to find in favor of the insurance companies and most security folks should NOT be the ones examining all the clauses and loopholes when policies are being looked at. This incident really pointed out three key issues: how MFA would have made it much harder for the attacker to compromise the purchasing manager’s PC; informal approval processes enabled the false sense of urgency the attacker created to succeed; and why cyber security policies rarely, if ever, cover anything close to the entire cost of attacks that exploit those first two issues.

John Pescatore

Even if you play a lawyer on TV, hire a professional who knows cyber law to read your existing contract. You need to know when they will and will not pay. As tempting as it is to say, I read it when we signed up, we're good, make sure that you’re looking at their most current language as many contracts include language to the effect that continued use/renewal is consent to the most current contract terms. Make sure that you’re addressing any coverage gaps, and adjust the policy where needed. Make sure you have a plan for items with reduced to negated coverage.

Lee Neely

Wow, this is a big deal. First, I never even thought of “Social Engineering” vs. “Computer Fraud” as being two different things because from my perspective they are very intertwined. However, from a legal / insurance perspective it can (and is in this case) clearly defined as two very different things. With over 80% of breaches now involving the human element, this could easily become a legal mechanism where insurance companies don’t have to pay.

Lance Spitzner

Suffice it to say that most enterprises do not have the competence to evaluate cyber insurance policies and compare them to the risk that they are trying to assign. Consider the use of a broker that specializes in this kind of coverage.

William Hugh Murray

We continue to see more and more organizations deploying Sysmon (it is free) alongside their EDRs but the number is still relatively low (<20% if I had to guess). I highly recommend considering Sysmon as part of your security stack. Like all detection solutions, it requires detection engineering, tuning, continuous testing, and validation.

Jorge Orchilles

The feature requires the use of XML rules files which need to be passed to sysmon as it starts up. Even with a bypass method, this should only be one component in your larger cadre of protection services - yeah I'm going to say it - defense in depth.

Lee Neely

One of the fixed vulnerabilities is already being exploited. Luckily, Google Chrome has pretty good auto-update features. Make sure to exit Google Chrome at least once a day to allow it to update.

Johannes Ullrich

That improper input validation (CVE-2022-2856), with a known exploit, should be sufficient motivation to push out your updates. Make sure that users really relaunch Chrome, Brave, etc. and they are running the current version. (As opposed to a relaunch from the last update, leaving them not current yet.)

Lee Neely

Whenever there are vendor or researcher papers on AI/ML predicting cybersecurity-relevant stuff, I always search for where (too often “if”) false positives are mentioned. This paper did a good job of addressing false positives, in particular what they call “label noise” but it kinda seems like this index mostly says “if good guys publish Proof of Concept attack code, then high likelihood bad guys will be able to exploit this one.” That issue is pretty much covered by CVSS scoring’s Exploit Code Maturity metric under Temporal Metrics. This research used that data but also added other similar information. Either using this index or simply tracking Temporal Index driven increases in relevant CVSS scores does look like false positives are reduced – but very often the initial CVSS score already includes presence of functional PoC code.

John Pescatore

Properly predicting the likelihood of a vulnerability being exploited is a game changer for enterprise patch management. I will believe that this works once it has shown to be effective for future vulnerabilities.

Johannes Ullrich

Very interesting paper that I will need more time to digest and think through. I like how it compares and contrasts with the Exploit Prediction Scoring System (EPSS): https://www.first.org/epss/ A better understanding of (potentially) exploitable vulnerabilities will help organizations prioritize but I still think the focus on detection and response is more important as 0days and gaps in these models leave you vulnerable.

Jorge Orchilles

This would help in prioritizing update activities; you still need to apply your local environmental considerations and regulatory requirements which may constrain your risk-based approach. Even so, it's a potential win for resources which are already stretched thin.

Lee Neely

The reason attacks have been able to continue to succeed really is NOT because attackers attack entire industries or supply chains at once – the real key is attackers have gotten much better at tailoring attacks against particular vulnerabilities at particular targets to achieve particular goals. Collaboration across industries has long been recognized as a good thing, as efforts like the Financial ISAC have shown for a long time – such collaboration does NOT require the use of a particular product. For US state and local, in May the Biden administration increased funding through DHS to the Muti-State ISAC – the MS-ISAC should be the focus of increased collaboration across states to raise the bar against attackers.

John Pescatore

The vision is that broad visibility to incidents, across an entire state or region, can help to identify trends and activities which could allow for mitigation activities to slow or block their continued spread. The challenge is defining how that visibility is to be achieved, and then providing the tools and resources to state agencies to achieve it. And the sad reality is that without a mandate, which includes funding, not a lot of traction can be obtained. Further, the organization collecting the data will need to be equipped to address concerns relating to the security of that data, as well as privacy/NDA constraints. While this parallels what DHS/CISA are doing at the federal level, it's not clear they have the capacity to take this on as well.

Lee Neely

This opinion is absolutely correct, but who's the hero who'll bring us all together?

Christopher Elgee

Given that almost any system connected to the public networks is part of the national infrastructure, we all have an interest in the security of those systems.

William Hugh Murray

This is about account takeover and supply chain security. Their move is designed to be consistent with what package registries are doing. RubyGems started enforcing the MFA requirement 8/15, owners without MFA will no longer be able to edit their profile, perform privileged actions (push/yank gems, add/remove gem owner) or sign into the command line. Once a package exceeds the 180 million downloads, MFA will be required.

Lee Neely

I see this as a growing trend and a good one, MFA being required for important accounts. Is MFA perfect? No? Is if effective. Yes. My one concern is we now have so many variations of MFA, and different definitions of what constitutes as ’strong’ MFA, that even I’m getting confused.

Lance Spitzner

Code repositories are about as sensitive as an application can get. The use of strong authentication continues to become more convenient and efficient. It is essential to the kind of accountability that is so lacking in software.

William Hugh Murray

Apple released 3 distinct updates. The first two are for the current version of macOS and iOS/iPadOS. They fix the WebKit vulnerability affecting Safari as well as a privilege escalation vulnerability in the kernel. The third update is only updating Safari, and it is meant for the older operating system. At this point, there is no patch for the privilege escalation vulnerability for older versions of macOS. These older versions may not be affected, or we will see a patch for them later.

Johannes Ullrich

Yeah, actively exploited -doggone it. Leverage that with your users waiting for iOS 16 or macOS 13 in September instead of applying these updates. Odds are you're going to need time to do testing of the newest OS versions before pushing them, so September rapidly becomes November, and the wait a few weeks before applying updates becomes not only longer, but also an increased risk of exploit.

Lee Neely

In addition to updating your Ring app, make sure that you've minimized the alerts which draw attention to your smartphone/tablet being connected to a Ring doorbell/etc. Make sure that your Ring Neighbors app is also updated and verify your security settings are current. Make sure you understand the conditions under which your doorbell or other security device footage can be shared by your provider with law enforcement with and without your consent.

Lee Neely

Always nice to highlight success stories around vulnerability disclosure and rapid vendor fix. This required malware to get onto Android first, risk somewhat mitigated by the Google Play app store process. Would be good to hear from Amazon why Reflected Cross-Site Scripting (XSS) vulnerabilities in all Amazon code will be much less likely after this one.

John Pescatore

While it seems the 5.11.5 patch was an incomplete fix, CVE-2022-28757 was released for this issue, which looks identical to CVE-2022-28756 except for the version and this one was reported by Casba Fitzl of Offensive Security. This has a base CVSS score of 8.8 - so you want to jump on this. Again, not a good idea to wait for the auto-update process to catch up.

Lee Neely

By all intents, it appears that the weaknesses and exfiltrated data from the smaller company, South Staffrdshire PLC, were used to try to exact a response, including payment from the much larger Thames Water company. The most obvious lesson is one of verification. Make sure that when you're being extorted over exposure of your data, make sure that it really is your data. South Staff is still working to restore their IT services, fortunately; their ability to supply water to customers was not impacted.

Lee Neely

Real "fun" vulnerability, and it got its own CVE number! The effect isn't new. There have been reports of mass disk failures in data centers triggered by fire alarms, and it has been well documented that mechanical drives suffer performance penalties in high vibration (loud) environments. A classic video demonstration can be found here: https://www.youtube.com/watch?v=tDacjrSCeq4

Johannes Ullrich

Raise of hands, how many of you are getting ready try this and see which laptops will crash? This affects laptops from around 2005, and has its own identifier of CVE-2022-39392. With apologies to my Netwars family and other similar event hosts, without appropriate filters, you may (still) not want to play this album during CTF events as that “burner” laptop participants are using may be old enough.

Lee Neely

Impossible to resist commenting on this one: when I was 11 years old, William Shatner (Star Trek’s Captain Kirk) released his “version” of the Beatles' “Lucy in the Sky with Diamonds” that made everyone assume he had taken LSD. Playing that on any computer will likely cause the sound card to self-destruct…

John Pescatore

This is, hands down, my new favorite CVE.

Jorge Orchilles