Educate Web Admins on Data Leakage Risk of Analytics Tools; Patch VMware Now to Stop Active Exploits; Beware of Malicious Proof-of-Concept Code on GitHub and Other Repositories

There has been a lot of movement in recent years by software architects to include privacy as part of their DevOps requirements, but they don’t always understand the complexity of how much data is being leaked, or where it is being leaked to, in the tools that are used to maintain those web sites once they go production. This piece is a good one to use to show the CIO and get security expertise integrated into that aspect of DevOps.

John Pescatore

The organization was using tracking services from Google, Facebook and others. Depending on how a user’s browser was configured and logged into the third-party services, obtained data may have included first and last names, dates, times and types of scheduled appointments or procedures and insurance information, underscoring the importance of knowing what data is shared when you're deploying tracking or other analytics supporting information on customer facing web sites. Keep in mind the data collected could fall into PII or PHI which can get you crossways with regulators and regulations (GDPR, CCPA, HIPAA, etc.) At a minimum, exclude them from pages where sensitive information is collected or displayed.

Lee Neely

Just as many enterprises have been slow to patch routers and switches because of the need to bring the network down to do so, VMware patching is often too slow. In the April patch release VMware said these vulnerabilities enabled remote code injection and attacks had been seen in the wild back in April. Should have been a high priority patch.

John Pescatore

We all hate patching servers because of the mission impact. The good news is that you can typically update VMware Tools without a reboot, and with proper configuration, move services to other servers so you can patch the running hypervisor. That leaves the VMware services themselves, often appliances just humming along. Guess what - you need to fix them too. Make sure that you have a policy which sets limits on applying patches, with supporting scans and consequences. Question excuses that there is no way a particular vulnerable component can be exploited carefully.

Lee Neely

Fake exploits have a long history, and more recently, GitHub has become the favorite place to post real as well as fake exploits. Whenever you download an exploit, no matter if it comes from GitHub or other sources, first try to understand what the code is doing and be suspicious if parts of the code are particularly obfuscated or hard to read. Even once you review the exploit, run it with caution on isolated machines.

Johannes Ullrich

I know you want to download the exploit PoC and try it out in your lab. The message here is that they are often loaded with added malware you’re not expecting. Make sure you fully understand any obfuscated or binary code downloaded before executing it. Leverage OSINT tools like VirusTotal to analyze binaries. Also beware of network connections made / attempted in the lab in case the code is calling for more components or phoning a friend.

Lee Neely

This continues the focus on critical infrastructure, as promised. This also focuses on the model that these critical sector components are tight on resources and funding, which hopefully will either result in low-cost guidance and/or funded services to help raise the bar without creating a regulatory impossible dream. If nothing else, guidance can be leveraged to help self-assessments to a risk-based approach to making (affordable) improvements.

Lee Neely

The Center for Internet Security has published and widely used consensus configuration benchmarks for Office 365 and many other cloud services. Full list at https://learn.cisecurity.org/benchmarks

John Pescatore

The SCuBA project’s initial scope is Microsoft 365 and Google Web Services and an automated tool to perform assessments. Over time they expect to grow to other environments. They are basing their reference model on many existing directives including CISA cloud security guidance (CDM, Zero Trust, Cloud Security TRA), Federal cloud security guidance (FedRAMP, OMB Zero Trust M-22-09, OMB logging (M-21-31) and Federal ICAM architecture. All in all giving an overview of how all these fit together to not only aid security but also aid in incident response. Two risks - having visibility to the data needed, such as CDM and your cloud service providing needed/timely log data to your SIEM. Even so, if you’re in the federal space, review the document and provide feedback to QSMO@CISA.dhs.gov.

Lee Neely

CNC machines are driven by computers with full operating systems. They are designed to last a long time, with that same OS. But that doesn’t mean they are secure enough to be on your network, let alone able to reach the Internet. Isolate (segment) and monitor them, apply patches when released. Only apply supported patches to avoid “bricking” a very expensive device. Don’t expect security improvements in a newer model, the OS supplied is selected for its ability to run the CNC machine, not security.

Lee Neely

Purpose-built machines should be easier to secure than more flexible general-purpose machines. Unfortunately, that is not the result we see. This results in part from the fact that these systems are built by those expert in the purpose but naive about security, in part because they incorporate general purpose components.

William Hugh Murray

This is the fourth largest fine imposed by ICO. The intent is to induce careful consideration of the cyber security of business partners. When was the last time you assessed the security of services you’re using to share or process information, particularly business sensitive or regulated data? Can they demonstrate they are keeping services updated and current? Do you know how your data is separated from other customers’ data and is that sufficient? Don’t exclude your cloud services or hosted infrastructure. Consider the level of access their staff has to your data, physical and logical.

Lee Neely

Initial access is gained by VPN servers; either exploiting a weakness or leveraging captured credentials. Then lateral movement leverages RDP and SSH. A good first step here is to make sure that your VPN is MFA required. While you’re verifying that is the case, make sure that they are being patched and updated. Nobody likes an interruption of the VPN, and the breach hurts more. Keep your VPN current, and don’t leave the old-unsupported (exploitable) units around “just in case;” make sure lifecycle includes sufficient redundancy for fail-over during maintenance windows.

Lee Neely

There are a couple of authentication bypass flaws, a memory corruption vulnerability, and a code injection flaw. The good news is that updating to the latest version of the All-in-One Security kit fixes the flaws. Don’t wait on your round-to-it here, the flaw can be leveraged to take over items like your security cameras, which would be “bad.” Make sure that patches for security systems are up there with your patching of boundary protection devices in terms of priority and criticality.

Lee Neely