Focus on Reducing Time to Detect to Lower Ransomware Impact; CircleCI Incident Highlights Need to Harden All CI/CD Pipeline Credentials and Access; It Is Long Past Time to Sunset Windows Server 2012

Falling victim to a ransomware attack given its pervasive use over the last few years is one thing. Only beginning to notify affected customers six months later is something entirely different. Wabtec customers should have been notified faster. The lesson to learn, as has been reported in other NewsBites, is to have a response plan in place and regularly tested.

LockBit strikes again. Dwell time continues to be a challenge: in this case the attackers had about 100 days between the compromise in March and breach June 26th. This would be a good time to review your detection capabilities to see if you could respond any more quickly. While Wabtec is not offering credit monitoring, their notification includes good information on data protection, fraud reporting and credit freeze for US, UK, Canada and Brazilian customers, with relevant sections in English, Portuguese and French. Something to file away if you find yourself in a similar situation. While it seems like a long time between the breach and notification to affected customers, it wasn't until late November that the investigation determined the personal information was included in the breached data. Additionally, law enforcement involvement, in this case the FBI, may have also put some constraints on disclosing information while the investigation was ongoing.

This is probably the most severe breach out of the recent set of breaches. Continuous integration tools must have access to credentials to do their job and need to store them in an accessible format. Your best bet is to limit the capabilities of these credentials, and to regularly rotate them. Rotate them not because they are leaked, but to make sure you are able to rotate them in case they are leaked. And remember the first rule of cloud security: All data in the cloud will eventually leak. Be ready for when it happens.

When you get to the end of the list of "What you should continue to do now" on the CircleCI alert, continue down to the "Additional security recommendations" to raise the bar even higher for your build (CI) process.

Keep track of the end of live / end of support of critical software and hardware, and create life cycle management to anticipate it. In January, Windows 8.1 will reach end of support, and Windows 7 will reach the end of the extended security support. InFebruary, Google Chrome will stop supporting any Windows version prior to Windows 10. At this point, you really should only have Windows 10 or Windows 11 running on Windows workstations.

The good news is that Windows Server 2012 market share seems to be in the .5% range, the bad news is that still means more than 2,000 businesses have it running somewhere. Paying for extended support for 10-year-old versions of operating systems is always going to be more expensive than migrating to current supported version.

With the possible exception of OT systems, you should be well off Server 2012, ideally finalizing your standard configuration for server 2022 and working to replace Server 2016. Yes, you can get extended security updates as far out as October 2026 and ask yourself should you be running an OS released October of 2012, in October 2026. Not just for security challenges over that 14-year period, but also changes in technology which are not going to be available on that platform.

Of the roughly 2000 such systems, one wonders how many are actually paying for extended support and how many are running naked.

This is intended as guidance, not a regulatory requirement, to raise the bar on the security of the ground-based components of satellite systems. They start with the basics: know what hardware you have, know what software is running, know what it is connected to and what your information protection requirements are. Each of the sections of the CSF (Identify, Protect, Detect, Respond and Recover) include sub-categories you should review, including applicability and references to identify gaps or things you may not have considered.

Since the NIST profile applies to ground segments of satellite systems, the guidance in NIST IR 8401 is pretty much the same as any guidance for any computer system. The key phrase in it is “Traditionally, ground segment isolation was accomplished through air gapping or limited connections. Increasingly, isolation is being accomplished via accounts, tenant isolation, and identities when using third-party services.” If you run, or are paying for, ground systems for satellite systems that are still claiming to be air gapped and no external connections, big red flags should be flapping.

Satellites and the ground stations that control them use the same IT and communication technologies found in other critical infrastructure. The threat is really about who can access the ground station, directly or via remote means. Not surprisingly, the same set of basic security safeguards need to be employed to protect this critical infrastructure.

Traditionally, like satellite ground systems, publishers often relied on air-gap separation between “research” networks like the internet and business critical publishing systems. Too often, even after all the pandemic work at home changes, publishing companies are still relying on isolation that no longer exists. Using NIST IR 8401 as a starting point, block-replacing “satellite ground control segment” with “your name here” would be a decent starting point.

Ransomware gangs didn't take a holiday break, and if anything, are upping their game. Take a pause and make sure that your response plan is still good to go, and as the workforce dynamic of local and home workers continues to evolve, make sure services you planned to rely on during a disruption are still in place, e.g., increased VPN capacity at the height of the pandemic, incorporating any lifecycle activities into your planning.

Despite LockBit's actions, hospitals and medical remain top targets for attackers. Even so, don't assume those not in that sector aren't also targets, assume you are and plan accordingly. There are a lot of lessons learned from the medical sector on how they are minimizing impact to their customers as well as leveraging partners in a crisis. Consider hosting their CISO or Incident Responders to tell their story to your staff, board or even cyber association meetings.

Whether this turns out to be a ransomware attack or as described, IT security failure, it underlines the importance of response and recovery functions. These functions should be regularly exercised, to include public communication by the executive leadership team.

Healthcare, more specifically hospitals, continue to be a favorite target of extortion attacks. Not only is patient care impacted but valuable clinical information will never be digitized. Consider proactively disconnecting from public networks unless and until patient care systems can be isolated from those that face the public networks. Patient care applications and systems that use the public networks must be encrypted end-to-end at the application layer.

This is impacting services in 21 states, who are fortunately able to revert to manual methods. While 93% of their infrastructure has been fixed, Cott Systems is still holding their service resumption date close, most likely as they want to be sure that prevent recurrence and know that recently breached companies are at the head of the line for attackers. Note to self - don't just address the discovered attack vector, look for, and address, other weaknesses.

The use of the term ‘organized cyberattack’ makes it sound as if the records management company had no way of protecting itself. Wouldn’t you say that all ransomware gangs are organized in their conduct of a cyberattack? Unless the attacker used a zero-day exploit, then security safeguards specified in best practice guidance like the Blueprint for Ransomware Defense are more than sufficient to protect against attack.

The work of keeping your in-house exchange services secure shows no sign of dropping off. In 2023, I'd be hard pressed to argue there are not hosted alternative email solutions which are viable and secure. Take a look at in-sourced services and make sure that you're not replicating commodity or commonly available services which are taking resources away from achievement of mission objectives.

While the reporting is troubling that such a large number of servers remain unpatched, I can’t say it is surprising. The EternalBlue exploit has been in the wild for five years, yet servers still remain vulnerable. Bottom line: if it’s a remote code execution vulnerability, it’s a must to elevate its priority in patching.

While this is good news, it only applies to new devices and FDA has only received $5M to fund development of policy, procedures and enforcement efforts. There are almost 1,000 medical device manufacturers in the US alone – $5M is literally less than 1 week’s worth of direct to consumer marketing spending by the medical appliance and equipment sector in the US.

This moves the security of medical devices from desired to required by statute. The FDA has 180 days to issue premarket guidance for FDA staff and the device industry as well as publish a report identifying challenges in implementing cybersecurity for current and legacy devices within one year." This is a huge step in the right direction and expect it will be summer or fall before we see medical devices which align with these requirements.

Requiring device manufacturers to demonstrate ability to patch and update their products is a sufficiently low security bar for them to meet. The importance of product patching can’t be overstated. Over time let’s hope that device manufacturers include additional security safeguards.