Do Guests Really Need Easy SMB Access? Multiple Azure Request Forgery Flaws Fixed; Find and Update All Instances of git, Not Just GitLab Version

I’m going to skew *really* old here: before we had houses, we had caves, which mostly had only one way in and out. Perimeter security was pretty straightforward. Operating systems in general and certainly Windows in particular started out essentially like fields, not caves – everything could walk, slither or fly in and out as the default. Even though this change is not a big deal, always good to see Windows being more cave-like than field-like. In real businesses, as long as we don’t send paychecks to customers and products to employees, perimeters exist (albeit more complex than caves…) and will need to be defended.

This is a move in the right direction, shares should only be enabled with a defined process, ideally never from a workstation, beyond what is required for management. Guest logins should only be enabled with deliberate care and forethought. Better still, use cloud-based file sharing services which have many options, including self-registration, logging, and centralized management.

SMB is a network file sharing protocol that cybercriminals can leverage as part of a ‘living off the land’ attack. For years, standard cybersecurity best practice guidance has been to disable guest accounts. By turning off by default for Windows Pro editions, Microsoft removes one additional configuration change that end users have to make – a good thing!

GitLab addresses some vulnerabilities that were found in the open source tool "git" as part of a recent code audit. Aside from GitLab, you should watch out for updates to git from various vendors. Many developers will also install various versions of "git" independently. Unix based operating systems like MacOS often include git, but may have other versions installed as well by development tools.

My experience is folks running their GitLab services are all over keeping them updated, but it doesn’t hurt to verify. Also make sure that your scanning software is checking for versions of GitlLab/Atlassian and similar tools. If you don’t have visibility to their security bulletins, sign up on the announcement page.

This is T-Mobile's 8th breach in less than 5 years. Everybody gets breached at some point. But if you get breached 8 times, it may be time to not just look at technology but the overall culture and management of your security organization.

While T-Mobile’s statement downplays the sensitivity of information obtained, characterizing it as marketing information, the information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. Take appropriate steps to watch for your information being misused, not just credit monitoring, but also very targeted social engineering.

APIs are prevalent in today’s modern mobile and web applications and consequently are one of the most frequent attack vectors used by cybercriminals. The Open Web Application Security Project (OWASP) regularly publishes the ten most critical security concerns for web application security. Organizations that provide mobile and web services should become familiar with OWASP and implement the security recommendations provided as part of their software development process.

If you’re in the health care sector, don’t expect the volume of attacks to drop anytime soon. The challenge here is that while the third-party provider notified of the breach within 60 days after confirmation/validation, HIPAA actually wants notification “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Have a conversation with your third-party providers to understand how they interpret this language, so you know what to expect. You may want to include your legal counsel in the conversation for peace of mind.

An interesting interpretation of the HIPAA requirement to inform patients within 60 days of possible data exposure. Yes, organizations should be afforded some time to investigate a cyber breach but allowing that amount of time before notification is concerning. Simply put, victims should have been notified faster. Perhaps Congress will take on this reporting requirement ambiguity as they look at potential cybersecurity mandates for health systems.

Bravo to Royal Mail implementing “Operational Workarounds” indicating they are not paying the ransom but rather recovering their systems per their DR plan. The UK seems to be under a wave of increased ransomware attacks, this is a good time to make sure that your operations over there are prepared.

In the face of our continued failure to resist extortion attacks, our backup and recovery procedures must enable us to recover entire mission critical applications in hours to days rather than simply a few files. It may be necessary to recover entire subnets in days.

While Cisco is not aware of this being exploited in the wild, it’s a good time to gather all the updates they released this month and get them deployed, starting with anything which is directly Internet accessible. While you’re at it, make sure that you are able to detect (and ideally block) attempted exploits of these vulnerabilities.

We continue to name vulnerabilities by the method of exploiting them rather than the development and coding practices and quality control failures that lead to them. It should not surprise us that the vulnerabilities persist and recur.