Do Guests Really Need Easy SMB Access? Multiple Azure Request Forgery Flaws Fixed; Find and Update All Instances of git, Not Just GitLab Version

I’m going to skew *really* old here: before we had houses, we had caves, which mostly had only one way in and out. Perimeter security was pretty straightforward. Operating systems in general and certainly Windows in particular started out essentially like fields, not caves – everything could walk, slither or fly in and out as the default. Even though this change is not a big deal, always good to see Windows being more cave-like than field-like. In real businesses, as long as we don’t send paychecks to customers and products to employees, perimeters exist (albeit more complex than caves…) and will need to be defended.

John Pescatore

This is a move in the right direction, shares should only be enabled with a defined process, ideally never from a workstation, beyond what is required for management. Guest logins should only be enabled with deliberate care and forethought. Better still, use cloud-based file sharing services which have many options, including self-registration, logging, and centralized management.

Lee Neely

SMB is a network file sharing protocol that cybercriminals can leverage as part of a ‘living off the land’ attack. For years, standard cybersecurity best practice guidance has been to disable guest accounts. By turning off by default for Windows Pro editions, Microsoft removes one additional configuration change that end users have to make – a good thing!

Curtis Dukes

This item, and the similar Server-side Request Forgery vulnerability found by Orca in Azure, point out 3 key issues: (1) Cross-site Request Forgery was on the OWASP Top 10 for many years, Server-Side Request Forgery is on the list for 2022. I’d like to hear some lessons learned from Microsoft about why these were in Azure code when so many tools find them easily. (2) Azure was patched when the patches were ready – Microsoft did not have to wait until the monthly Vulnerability Tuesday. (3) We still see external parties (good guys with responsibly disclosed vulnerabilities and bad guys exploiting zero days) being credited on the majority of patches that come out in Windows. This all adds up to faster patching is still important and the monthly patch cycle is like using a 4800 baud modem for IT ops hygiene when the bad guys are on gigabit connections.

John Pescatore

GitLab addresses some vulnerabilities that were found in the open source tool "git" as part of a recent code audit. Aside from GitLab, you should watch out for updates to git from various vendors. Many developers will also install various versions of "git" independently. Unix based operating systems like MacOS often include git, but may have other versions installed as well by development tools.

Johannes Ullrich

My experience is folks running their GitLab services are all over keeping them updated, but it doesn’t hurt to verify. Also make sure that your scanning software is checking for versions of GitlLab/Atlassian and similar tools. If you don’t have visibility to their security bulletins, sign up on the announcement page.

Lee Neely

This is T-Mobile's 8th breach in less than 5 years. Everybody gets breached at some point. But if you get breached 8 times, it may be time to not just look at technology but the overall culture and management of your security organization.

Johannes Ullrich

While T-Mobile’s statement downplays the sensitivity of information obtained, characterizing it as marketing information, the information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. Take appropriate steps to watch for your information being misused, not just credit monitoring, but also very targeted social engineering.

Lee Neely

APIs are prevalent in today’s modern mobile and web applications and consequently are one of the most frequent attack vectors used by cybercriminals. The Open Web Application Security Project (OWASP) regularly publishes the ten most critical security concerns for web application security. Organizations that provide mobile and web services should become familiar with OWASP and implement the security recommendations provided as part of their software development process.

Curtis Dukes

If you’re in the health care sector, don’t expect the volume of attacks to drop anytime soon. The challenge here is that while the third-party provider notified of the breach within 60 days after confirmation/validation, HIPAA actually wants notification “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Have a conversation with your third-party providers to understand how they interpret this language, so you know what to expect. You may want to include your legal counsel in the conversation for peace of mind.

Lee Neely

An interesting interpretation of the HIPAA requirement to inform patients within 60 days of possible data exposure. Yes, organizations should be afforded some time to investigate a cyber breach but allowing that amount of time before notification is concerning. Simply put, victims should have been notified faster. Perhaps Congress will take on this reporting requirement ambiguity as they look at potential cybersecurity mandates for health systems.

Curtis Dukes

There are business and operational reasons for an organization to connect its IT and OT networks. That said, once connected, it does provide a pathway for remote access to vulnerable OT systems. You can count on the adversary finding the connection once they have initial access. Proper planning and active monitoring of these connections should be a high priority for IT and security staff and a feature of regular reporting to executive leadership.

Curtis Dukes

Bravo to Royal Mail implementing “Operational Workarounds” indicating they are not paying the ransom but rather recovering their systems per their DR plan. The UK seems to be under a wave of increased ransomware attacks, this is a good time to make sure that your operations over there are prepared.

Lee Neely

In the face of our continued failure to resist extortion attacks, our backup and recovery procedures must enable us to recover entire mission critical applications in hours to days rather than simply a few files. It may be necessary to recover entire subnets in days.

William Hugh Murray

While Cisco is not aware of this being exploited in the wild, it’s a good time to gather all the updates they released this month and get them deployed, starting with anything which is directly Internet accessible. While you’re at it, make sure that you are able to detect (and ideally block) attempted exploits of these vulnerabilities.

Lee Neely

We continue to name vulnerabilities by the method of exploiting them rather than the development and coding practices and quality control failures that lead to them. It should not surprise us that the vulnerabilities persist and recur.

William Hugh Murray