Microsoft Releases More Mitigations, But Still No Fix, for Exchange Vulnerabilities; Patch Exchange Servers to Avoid CISA-documented Supply Chain Attack; Prioritize Matter Smart Home Standard Certification for Future IoT Procurements

Keep an eye on the Microsoft guidance below. It has been revised at least three times. If you’re using the Microsoft provided scripts, such as EOMTv2, you need to grab the updated versions and run them again. Given that there is no patch yet, you really need to verify the path forward for on-premises Exchange servers, with an eye to getting out of that business.

Lee Neely

This information is very useful to build post exploitation detection rules. The attack involved an Exchange server, so with that in mind, it makes an interesting read to understand what more advanced attackers may attempt after the initial compromise.

Johannes Ullrich

DHS counts over 100,000 companies as part of the Defense Industrial Base, so there are many other similar stories. This one is another example of unpatched Exchange vulnerabilities being exploited at the front end, and then a lack of monitoring/hunting processes leaded to an unacceptably long time to detect.

John Pescatore

Not only was one group hanging out for a long time, but also other APT’s came and went during that same interval. The mitigations focus on monitoring for impossible logins, impossible travel and multiple account use over a single VPN connection. MFA has to be mandatory for remote access. Make sure that remote access services are known, approved and secure. Use separate accounts for administrative privileges, then monitor their use. Limit these accounts to only those who need them and audit this regularly. Trust me, anyone with a C in their title doesn’t need one outside of any privileges needed to manage their laptop.

Lee Neely

While there seems to be a plethora of IoT standards organizations, the CSA-IoT has some big names on board: Amazon, Apple, Google, Samsung, etc. The security concepts are thorough and complex, however – over the long run, low end/consumer grade “thing” providers are unlikely to reach that level anytime soon but certification against the CSA-IoT standards would provide procurements with a key criterion for selecting secure devices.

John Pescatore

Having a clear interoperability standard, to include required encryption, is a huge step forward for IOT devices. And Amazon, Google, and Apple are expected to release Matter 1.0 certified devices in the next month or so. The trick is that 1.0 is limited to relatively simple devices like plugs, switches and light bulbs; basic sensors and controllers for garage doors, shades or blinds; and of course, hubs and bridges. Watch for firmware updates to add Matter compatibility over time to your existing devices as well as updates to the standard to add devices not currently covered. This could be a much more interesting conversation prior to Christmas 2023. In the meantime remember to leverage separate networks for those devices and consider what connectivity you provide them. Your wireless hotspot’s out of the box guest WiFi could be the interim solution you’re looking for.

Lee Neely

Data sharing agreements are critical on many levels. Prefer to do this on a case by case basis but sometimes this is hindered by local regulations. Australia is stepping in to remove the regulatory restrictions- even so all parties must use due diligence to ensure the data is properly protected and disposed of properly, both in alignment with the agreement and regulatory requirements. When in doubt seek expert guidance.

Lee Neely

Reporting fraud attempts to the proper authorities can make a difference. Use this as an example to support your reporting requirements. Both externally and internally. Determine the ability to take such a report, as well as how, prior to an incident.

Lee Neely

The HSCC’s comments mainly focus on NIST making sure that, to aid smaller healthcare organizations, SP 800-66 reference the resources produced by the 405(d) program that is a collaboration between HHS and private industry. Good idea - many of these are aimed at getting the basics across to smaller businesses impacted by HIPAA. On the security controls side, the Center for Internet Security Critical Security Controls has resources for smaller entities and how Implementation Group 1 of the Controls reaches the essential security hygiene level including mapping to the NIST Cybersecurity Framework.

John Pescatore

The risk is having too many guidance documents. It’s better to include a tailored approach for controls, such as with SP 800-53, with appropriate guidance on how different factors, such as size, are to do that. Then you’re more likely to be on the same page with regulators about the path you followed to implement needed controls.

Lee Neely

It is important to note that legal actions against CISOs (as with other corporate execs) is not coming from failure to avoid an attack. The ones to date have been because laws around notification or reporting have been violated. Every company should by now be far past the point where avoiding or whitewashing breach notifications is even considered.

John Pescatore

This keeps getting better and better. Sweeping issues under the rug or cleverly reclassifying a breach as a vulnerability disclosure are at best a fool’s errand and at worse career ending move. Aside from assuring confidentiality is maintained appropriately, keep records of disclosure decisions and leverage your legal counsel.

Lee Neely

EHR downtime means manual or fallback services are in use. If you have to fall back like this consider how you’re going to communicate with partners and suppliers. Can you fax them an order? Do you want to take the risk of using non-approved services or have vetted backup systems/procedures on standby? Maybe you want to mail that down.

Lee Neely

Here is some good news for your Friday. While you may be celebrating the conviction of Vachon-Desjardins for his role in extorting funds, don’t hold your breath expecting full remuneration to his victims.

Lee Neely

A posture of only allowing connections to approved services and protocols goes a long way to mitigating this type of risk. In a zero-trust world this protection moves to the endpoint but you still need centralized control and visibility, implement similar controls at your perimeter for devices which lack the capacity to do it locally. Yes this requires the ability to dynamically update that rule set, (so you need a good threat feed) consider a default deny posture as it is likely to have fewer services go bad and need blocking.

Lee Neely