Pressure Android Phone Vendors to Patch Faster; Test Your DDoS Readiness; Double Check Endpoints to Thwart Ransomware

It has been an ongoing problem for Android users that updates to the operating system need to first pass handset makers and carriers, leading to long delays in the availability of patches, and in some cases, making patches unavailable at all for some handsets. Your best bet is a handset that is part of "Android One" which also avoids preinstalled bloatware.

Johannes Ullrich

Google does patch its Pixel phone faster than other Android-based phone vendors much of the time, so it does seem odd that Google’s own Project Zero found the flaws and Google still hasn’t patched them on the Pixel phone. This undermines one of the claimed benefits of choosing a Pixel phone.

John Pescatore

Google has started work on doing several things to make the patch gap smaller. One of the significant issues is how forked the Android Linux Kernel is from the Linux Kernel. Check out Project Mainline to see how they are trying to address this. One of the other projects that Android has been working on is Android One. The biggest challenge will be proprietary drivers from the Smartphone makers. This is something Google will not be able to control entirely. Unfortunately, this is where Google Pixel and Apple may have the edge. Is this an area that needs to be addressed with regulation? Will regulation slow things down unnecessarily? It’s a complicated problem to solve. Maybe it's best left to the hands of the consumer if that means that we sacrifice smaller players or cheaper devices.

Moses Frost

When it comes to Android, just as with Windows, there are multiple manufacturers to choose from. When assessing them, be sure to factor in both their plans for delivering updated versions of the OS and security patches, as well as deployment of firmware updates to their hardware components. Also make sure you have lifecycle replacement plans for mobile devices just as you would for more traditional IT; for Android devices that will be about three years.

Lee Neely

If "patch gap" is the "time if takes for a patch from a vendor ... to reach device manufacturers," then "patch lag" is how long it takes for it reach your device. Lag is what is more important.

William Hugh Murray

Nations and their surrogates often use DDoS attacks to ‘voice’ displeasure at perceived political slights. While this attack could be viewed as more of a nuisance, it should serve as a reminder for organizations to revisit their recovery plans for service disruptions that impact business operations.

Curtis Dukes

The Russian group Killnet claimed responsibility for this attack. With the current prevalence of DDoS attacks, don't overlook one being aimed at you in response to a decision, press release, etc. Make sure that your cyber defenses are up-to-snuff. Don't forget to assess on-premises (including your ISP) as well as outsourced/cloud services to make sure you not only have DDoS protections enabled but also that they are tested. Also make sure the security on your endpoints is sufficient to detect and protect them from being used as a botnet, no matter who they are aimed towards.

Lee Neely

Denial of service attacks are among the few that are cheaper to mitigate than to prevent. Mitigation will involve upstream providers. Know those people by name.

William Hugh Murray

Talk about collateral damage. This is not the way to find out your endpoints are not properly secured. Take a look at your scan results making sure that findings (secure configurations, patching, end-of life, etc.) are being resolved according to your risk ratings, maybe make sure those risk scoring/ratings are still appropriate. Now, go look at all your external services, outsource, cloud, private cloud, etc. and have a clear understanding of who is on the hook for similar actions, then verify they are done within an acceptable level of risk. Make sure as much of this that can be automated is. Before going out to license new capabilities, check to see what is available/licensed which may not be fully utilized, if at all.

Lee Neely

Human error, coupled with lack of configuration and patch management is often the root cause of successful ransomware attacks. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery for the Belgian police force.

Curtis Dukes

This is the more traditional supply chain security we're used to, and is still relevant, even in a post-SolarWinds world. Don't forget to consider the security of your suppliers, to include country of origin and influencers of the OEM process. This decision effectively bans the purchase of these brands within the US. Note that concerns with these manufacturers go back several years, and while this does introduce risks of having to purchase more expensive alternatives, a compromise can rapidly outstrip any money saved here.

Lee Neely

A bit of bureaucratic housecleaning being implemented by the FCC. The ban on imports does even the playing field for US technology providers that face growing tech nationalism policies by some countries.

Curtis Dukes

This ban is not surprising, but it will be interesting to see how this will change the landscape. On the smartphone side, we did not see much of Huawei, which is sold in many countries overseas. What we did see in the US were Huawei booths for their networking equipment at many of the conferences. We also have many enterprises that use Hikvision DVR and cameras. What will this mean for existing customers? Will they be able to get updates? Will there be a reciprocal reaction? It’s hard to tell, as US telecom players have sometimes had a more challenging time penetrating the Chinese market.

Moses Frost

Here are two documents you can leverage to build your strategy and roadmap to ZTA, to include communication and capabilities for each of the five pillars. While five years seems like a long time, it's still a fairly short timeframe to implement across your entire infrastructure. If nothing else, make sure that you're architecting and purchasing with an eye to zero trust in the future.

Lee Neely

First and foremost it will take a shift in security culture to fully realize zero trust. Meanwhile a recent GAO report identified shortcomings in the Departments reporting of cyber incidents. One has to ask how will the DoD track implementation of the strategy across thousands of information systems.

Curtis Dukes

This has been a long time coming. It appears the DoD is getting very serious about how they will be addressing Zero Trust for many of their networks. There is also talk about moving to Software Defined Networking and Private Cloud (or Commercial Clouds) to make some of this work. The project plan outlined here shows a plan that dates into 2032. Many of our Commercial Products are also influenced by how the government spends in this space, so I suspect more and more vendors will focus on these efforts or risk losing these government spending contracts. This is one to watch.

Moses Frost

This is a very interesting read for anyone interested in implementing elements of Zero Trust into their own environments. Of note is the roadmap and that expectations should be set that Zero Trust will not be achieved quickly but rather will be a long and time consuming project.

Brian Honan

Here we go, 8th Zero-day fix for Chrome/Chromium in 2022. You know the drill. Don't assume this got pushed over the Thanksgiving holiday: make sure it either was or is scheduled for like now. This, along with CVE-2021-35587 for Oracle Fusion Middleware were added to the NIST KEV catalog November 28th with due dates of December 19th, which will be here soon enough.

Lee Neely

When will you be viewing Google Chrome as Adobe Reader? Chrome was once heralded as a very safe browser in comparison to the bugs found in the other browsers. How many Chrome vulnerabilities have we seen in the last 24 months? Is it “irrelevant” as Chrome patches itself?

Moses Frost

This is pretty cool. In this case fraudsters were randomly calling people, claiming to be their bank contacting them to discuss suspicious activity on their accounts. They were impersonating Lloyds, HSBC, Barclays, Halifax, First Direct, Nationwide, TSB, NatWest and Santander. The cool part is that police are texting numbers connected for over a minute to the known fraudsters to collect information to bolster the case against the fraudsters.

Lee Neely

The prior version of this ransomware was written in C++. At the time of writing, 14 of the 60+ AV detection engines tested detected the Rust-based malware. The current version of RansomExx2 is only available for Linux platforms; given the history of the group writing the malware, a Windows version is imminent. Other ransomware released in Rust includes Hive, Zeon and BlackCat.

Lee Neely

The Recorded Future report details internet facing DVRs/IP Cameras co-opted as C2 control points. There is no such thing as leaving something exposed because it's "unlikely" to be compromised. Remember IoT is about availability and functionality first. Put access controls in front of services, and if they can't support MFA, make sure that the protecting control does. Yes, it's a nuisance to add layers like these but reusable credentials don't cut it, nor do you want to be outed as an attack enabler.

Lee Neely

ISE is an identity-based network access control (NAC) and policy enforcement system, likely a component in your Zero-Trust implementation as you already own it, therefore, fixing this is kind of a big deal. The workaround is there are no workarounds. As such, you need to wait for updates to be released by Cisco. Cisco will only be releasing fixes for ISE 3.1 (3.1p6, March 2023) and 3.2 (3.2p1 January 2023) - as well as providing Hot Patches for 3.1p5 and 3.2, contact your Cisco TAC.

Lee Neely

The BMC firmware has low level access to system functions, operating below the OS level, so fixing this is important. Fortunately, Lanner has released updates which resolve the issues, but you may have to actively reach out to Lanner to get the update. In addition, make sure that you're restricting access to the web interface to trusted devices and users. Make sure that remote access requires a VPN and ideally even a bastion host.

Lee Neely