iOS 16 Lockdown Mode and Safety Check; Cisco Won't Release Patches for EoL Routers; Microsoft (and Others) to Require Token-Based Authentication

Apple's updates yesterday (see story below) fixed a number of security vulnerabilities, one of which was already exploited in the wild. Apple made updates available for iOS 15 as well as 16, so you are not forced to updated to take advantage of the bug fixes. Features like Lockdown may provide substantial security benefits, but realize they come at the cost of limiting functionality.

Johannes Ullrich

Lockdown mode, available in iOS 16, iPadOS 16, and macOS 13 (Ventura), is intended for VIPs who would be targets of a nation state attack traveling in risky areas. The controls would likely be unacceptable full time. They could be part of your baseline configuration for a loaner pool of devices used on foreign travel, but don’t overlook those demanding to take their regular device and not use a loaner. The Safety Check (under Settings, Privacy & Security) allows you to manage sharing and access, take a few minutes to review (and possibly update) what you’re sharing with others, services you’ve granted applications access to, devices logged into your AppleID. The learn more option on the Safety Check main screen provides information on using the service and what it does, which you should familiarize yourself with prior to being in a situation where you need to make changes.

Lee Neely

I’m a huge fan of both of these features. Lockdown is one of the very first vendor solutions that trades security for functionality, a trade-off I think more people will be interested in than Apple might perceive. Safety Check is one I did not even know was coming, and applaud Apple. There is actually a 3rd BIG security feature called by Apple Passkeys, which turns your Apple devices into a FIDO device, enabling phishing resistant, biometric based MFA. In other words, you may not even need passwords anymore as your device is your authentication.

Lance Spitzner

I expect the use of both of these features to be sparse. However, the existence of these two features illustrates how important to our daily lives the mobile computer has become.

William Hugh Murray

It is very important to track the end of life/end of support of hardware and software you are using. Cisco at least still releases notices alerting users of new vulnerabilities. Other vendors may just go silent after their products reach end of support.

Johannes Ullrich

If you're using the RV100W, RV130, RV130W or RV215W router/firewalls, it’s time to forklift them out of there. Even if you’re not using the IPSec VPN network on these (and therefore not vulnerable to these issues), they are end-of-life and other security updates will not be forthcoming.

Lee Neely

The smaller the number of appliances that one manages, the less efficient it is to patch one. For small numbers of old devices, the cost of maintenance is likely to exceed the cost of replacement.

William Hugh Murray

Microsoft has provided diagnostic tools to help analyze specific issues with disabling basic authentication. You can have a specific service re-enabled by opening a support ticket, but that only buys you until January 2023 where the change becomes permanent. Even if Microsoft moves that date, don’t let off the gas on preparing to use MFA for your EXO access; you want to be prepared and tested before the ability to revert changes is removed. Enabling MFA for EXO includes configuring a window of how frequently you wish to re-verify users (e.g., every 30 or 60 days) which reduces the impact of this change. If you’re using MS365 with a separate IDP, make sure that you understand the change to that IDP behavior.

Lee Neely

Better late than never. I am of the opinion that all software vendors should ship products with secure configurations by default and allow the customer to make changes if they must/really need to.

Jorge Orchilles

These are very welcome moves by all the providers covered in this article. However, security should be the default setting for many of the cloud services and one that is included in all subscription levels, not just at premium subscriptions.

Brian Honan

Read the PDF to understand what they mean by these five breakthrough factors. This is not just treating everyone the same, it also means understanding how they differ to help them achieve greatness. Engaging and supporting future workers early on, e.g., high school or earlier, is important. Share your passion and enthusiasm, don’t be patronizing, and provide support and opportunities irrespective of gender. If you think you’re doing these, ask your younger workers for brutal feedback, and make adjustments as needed.

Lee Neely

The 11 CVEs are addressed both in iOS/iPadOS 15.7 and iOS 16. iOS 16 is only available for the iPhone 8 or newer at this time, so you may want to push out 15.7 until you’re certain your fleet of devices can all run 16. If you still have devices hanging out on iOS 14, it's time to move them to at least 15 as iOS 14 support is expected to end with the release of iOS 16. Don’t overlook the updates to watchOS, Safari and macOS. Note that Apple Watch series 4 or later is required for watchOS 9.

Lee Neely

Don’t think of this as a one-way street. While rapid reporting to CISA can help provide them overall situational awareness, CISA also has resources you, as taxpayers, can leverage when you need them. Read the proposed legislation and consider your barriers to participation, then let CISA know how those could be addressed. Don’t sit on your feedback; November 14th will arrive faster than you may think. The links from the Federal Register below include both information on how to provide feedback as well as where you can find the public listening sessions.

Lee Neely

Now vehicle, OEM, and after-market accessory manufacturers need to incorporate these best practices which will take time. It will be interesting to see if further steps to add consequences for failing to incorporate adequate cybersecurity practices are taken.

Lee Neely

You already checked to make sure that you're running the current version of BackupBuddy (8.7.5) or removed it because it’s no longer needed. It's OK, I’ll wait. Now, double check your WAF protections for directory traversal and file inclusion rules are in place. Incorporate the IOCs from the Wordfence blog into your IP blocklist. What was that? You don’t have a WAF in front of your WordPress site? The easy button is to pick up one designed for WordPress (like Wordfence), then subscribe to updates for immediate access to protections against current threats. Note you’re going to quickly eclipse that subscription cost cleaning up from one successful exploit.

Lee Neely

As technology becomes more useful in supporting decisions, particularly autonomous ones, the data which drives those decisions as well as the access to that data needs to be adequately protected. Consider that devices are able to effectively be on-line continuously, e.g. 5G, and those external developments, like Quantum computing, will continue to raise the bar on data protection. The basics will still apply: information should, ideally, be encrypted at rest with (MFA) access to only devices and users authorized to access that data. Keep data only as long as is necessary, and consider offline archive copies. Know which data is where and why. Make sure you are properly de-identifying data when sharing.

Lee Neely

Healthcare is struggling with current technology. Special care must be exercised in adopting the novel.

William Hugh Murray

Be prepared for collateral damage, such as your phone or email being offline, when recovering from a ransomware attack. Make sure that your business continuity plans are updated and regularly tested. Double check that your recovery times are both achievable and acceptable by senior management. Double check that you’re limiting lateral movement, both by segmentation and access controls, to reduce the need to proactively take everything offline after an attack. Make sure your rolodex includes verified contacts for not only helping with recovery but also investigation and reporting before you need them.

Lee Neely

Healthcare continues to be plagued by ransomware. It is hard to know whether this is because they are being specifically targeted or because they are vulnerable. However, the impact on EHR is because these systems are not sufficiently isolated from the public networks. Where such systems do use the public networks, they must be protected by end-to-end encryption and application aware firewalls.

William Hugh Murray