Participate in the 2022 HIMSS Cybersecurity Survey; JSON-based SQL Bypasses WAF Controls; Make Sure You Patched Your Fortinet VPN

The 2021 HIMSS survey showed phishing was by far the most common vector for successful attacks and only 34% in healthcare had MFA in use. Phishing and exploitation of reusable passwords will likely still be #1 in this year’s survey, making the top goal for 2023 a large increase in use of standards-based MFA.

John Pescatore

As the industry has been working to address gaps resulting from rapid adoption of technology and increasing services which are customer facing, identifying the current attack paths/risks would help update assumptions on issues in Healthcare security. Past responses identified the most successful attacks used social engineering techniques - beyond merely phishing (spear phishing, vishing, whaling, business email compromise, SMS phishing) If you're in the industry please participate.

Lee Neely

There exist ample public data over the past two years on cyber breaches that were successful against the healthcare sector. There also exist cybersecurity best practices that work for all critical infrastructure sectors, including the healthcare sector. Leverage those data sources as part of the survey.

Curtis Dukes

I know there are cyber security professionals in the health care industry, please complete this survey if you are one of those!

Jorge Orchilles

We already know what to do. The number of successful ransomware attacks against the sector suggests that we are not doing it. Perhaps this survey will provide some visibility into the underlying reasons that we are not doing the essential and possible remedies for those.

William Hugh Murray

The article title is misleading because it is more research than just a Generic Web Application Firewall Bypass in the article itself. The Bypass is really excellent, and the research is spot on. However, there is also research around vulnerabilities in software-defined networking controllers that is also fascinating, and you would never realize this by just looking at the article title.

Moses Frost

So, by obfuscating the SQL injection attack in JSON, the WAF didn't detect them. The updates address this, so you need to deploy them, particularly as the information has now been published. This doesn't mean the WAF wasn't detecting and blocking other attacks, more like here is a new technique which needs to be added to your WAF's arsenal. You still need defense in depth, make sure that your developers are sanitizing input, you are testing your applications regularly, and your testing includes testing without the WAF.

Lee Neely

Perimeter security devices remain a popular target for attackers. Our sensors still see older FortiOS exploits used frequently. This vulnerability was patched as part of a recent FortiOS update, but not made public until now.

Johannes Ullrich

The workaround is to disable the SSL-VPN, which isn't really viable if the mission of the device is to deliver your SSL-VPN. The fix is to update to the current version of FortiOS product. Incorporate the IOCs in the Fortiguard in your threat hunting, verify your device has not been compromised.

Lee Neely

It seems that the last year or two has been the year in which many SSL VPNs have seen their systems explored. Fortinet seems to currently be the target of many of the exploit developers. This could be because of their market presence outside of the US and globally, or it could just be that there was already a lot of research that has led exploit developers to see other vectors in the same system. Maintain patches where you can, and if you’re using a different firewall product, I suspect that there will be other manufacturers that eventually will get the same treatment. No one is immune to software bugs. Stay on top of this and patch where you can, prioritizing SSL VPNs first.

Moses Frost

Since the start of the pandemic, we have seen attackers focus on these types of edge devices. Have an inventory of what you have and ensure you patch consistently upon release.

Jorge Orchilles

Passkey is important not just as a more secure authentication scheme, but also as a more usable one. Having multiple popular browsers provide a similar user experience will make it much easier to support Passkeys. Now we just need to make it easy enough to implement for your average web app developers.

Johannes Ullrich

Apple, Google and Microsoft all adding walk to the talk about strong authentication and Passkeys had turned the first tumbler on the “lock” that has been stymying progress in moving beyond reusable passwords. The app dev/DevOps infrastructure embracing and enabling Passkeys being built in as the default choice needs to be next, followed by interoperability testing across iOS, Android, Linux and Windows platforms to identify and fix bugs/vulnerabilities in early implementations.

John Pescatore

Having built-in support for authentication techniques, such as Passkeys, can make or break the use of them. If you're uncertain, ask your colleagues about which browsers work best with smart card enabled applications, possibly saving questions about mobile devices for later. Not only is Google making this native to the desktop app, but they are also including support in Mobile, which is a big win for a successful rollout. As you enable applications to support passkeys and other strong authentication mechanisms, make sure the users have a low-friction way of using those authenticators as well as fall back to other equivalent mechanisms, not passwords.

Lee Neely

Wonderful news. That said, don’t count out the ability of the password to survive for several more years. There are still a billion or so Windows 10 users that will need to transition to Windows 11.

Curtis Dukes

Passkeys have the potential to revolutionize authentication for people as it’s both very simple (from the human perspective there is no memorization and is biometrics based) and extremely strong (think ‘phishing resistant MFA’). In this announcement Google is not stating that Google websites support passkeys but Google Chrome browser now supports using Chrome to authenticate with passkeys. While exciting, passkeys are not fully baked yet in the full Internet ecosystem. So if you are an early adopter, go for it! However, this is not something I would be training my workforce yet for their personal use. Hoping to see all the bugs worked out and full ‘ecosystem’ adoption in 2023. For more on Passkeys and phishing resistant MFA - https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner

This addresses the user side; we need implementation on the application side.

William Hugh Murray

Medibank has done a few things here. Implemented two-factor, added expanded analytics via a third party (In other words hired a MSP), categorized the data exfiltrated to quantify the use and reporting requirements. When reviewing your shop, make sure that separate accounts are used for administration from end-user activities wherever possible, and make sure you're MFAing all the users, not skipping admins/VIPs/etc.

Lee Neely

Prior to this, they already made the most important step to raise the bar against attacks: “This follows the recent addition of two-factor authentication in our contact centres,” said Medibank.

John Pescatore

Test your cyber resilience plans before an incident. Use these unfortunate events to motivate your leadership to investigate the data privacy and security practices before a breach. Happy they are doing Lessons Learned and hope they are shared with the public.

Jorge Orchilles

The recovery costs for this breach continue to rise. Additional costs will likely include customer monitoring services; government privacy related fines; and loss of customers given damage to the brand. This makes for an excellent risk management case study for boards weighing cybersecurity costs.

Curtis Dukes

Honestly, if there is a lot of government support for banning dangerous practices, I’d rather see those same agencies ban the use of ISPs that regularly deliver known malicious traffic to government servers, PCs and mobile devices. If that is too much, how about just banning cell phone number spoofing?

John Pescatore

Be aware of what data is processed on which sort of devices, then consider which hardware and software providers you are allowing. Be aware of what your adversaries' motives are, for example: China is big on data exfiltration, theft of IP, while Russia is big on disruptive behavior. Make an active risk determination, then review them over time. Implement technical and administrative controls which follow those assessments. The risks to US or State government data are different than the risks to your data, however if you're processing data on their behalf, you're probably going to have to implement their restrictions to be able to continue to process that data.

Lee Neely

This is about what data can be collected by the app; where and how the data can be accessed; and dossiers built from this and other data sources. Can companies be trusted to protect user data from government access, given national laws? Interestingly, government doesn’t think so; or perhaps this is also a bit about ‘tech nationalism.’

Curtis Dukes

In an abundance of caution and at the risk of being accused of economic nationalism. One might well object to lumping products like Kaspersky, merely suspected of divided loyalty, with TikTok, a known bad actor.

William Hugh Murray

A good next step is using those same voluntary practices as evaluation criteria before acquiring software or cloud services.

John Pescatore

If you're wondering where to get started providing guidance to your team developing mobile apps, this is good guidance. Note that these coding standards are also mapped to UK data protection laws, as well as provide guidance for enterprise app stores and will be updated in the future as risks change. Make sure that your guidance has similar mappings and is kept updated.

Lee Neely

The tool has a series 15 of Yes/No questions about the type of data you're processing with information about the results of either positive or negative response. Depending on your responses you may be directed to bypass some of the questions. There is also a glossary and links for further information, which can really help support the inevitable questions of "do I have to" and "where is it written." If you are processing PHI, you want to give this a go.

Lee Neely

Ticket sales for the Met Opera are in the vicinity of $200K/day, and the outage is also impacting their online store's ability to process credit card orders, a real bugger during the holiday shopping season. The Met has implemented workarounds such as leveraging the Lincoln Center's web site to issue $50 general admission seats, to be assigned on a first-come-first-served basis right before showtime. They are building a backlog of refund/exchange transactions to perform after normal operations resume. When considering failover operations like this, make sure that you can accurately track delated transactions, and have a clear understanding of how long it will take to catch up, then communicate this to impacted customers.

Lee Neely