Look at Advertising Networks as Part of Your Supply Chain Security Responsibility; Check IPV4/V6 Transition Risks; Changes In Ransomware Volume Don’t Change Need for Essential Security Hygiene

Ad botnets/malvertising attacks are a constant and this is reminder that if your company pays for ads or takes revenue from ad placement, advertising networks have to be considered as part of your supply chain security and user awareness programs. In particular, increased use of MFA will bring increased “MFA fatigue” attacks, which share a lot of evil DNA with ad stacking attacks. Use this one as impetus for an awareness push to users and management.

John Pescatore

Not a bad overview, but note that recently released operating systems will use privacy enhanced IPs by default and embedded MAC addresses are rather uncommon these days. Also carefully test the interactions between SLAAC and DHCPv6 for your systems. Just like any feature, it should be enabled if there is a clear business need for it, and if you have the domain expertise to support IPv6.

Johannes Ullrich

Practitioner's note: Whether you've intentionally "transitioned to IPv6" or not, it's likely already running in your environment. Test it yourself! Penetration testers make easy money from systems with rock-solid IPv4 firewall rulesets and "allow any any *" for IPv6. Also, without the protection of NAT, it's worth trying to access internal assets from an external host. It might be directly accessible!

Christopher Elgee

First, a caveat that there is *no* reliable data on ransomware payments, as even Chainalysis notes. That said, essential security hygiene works against the majority of attacks and ransomware is not different. If you’ve been unable to get backing to make needed changes, you can certainly take advantage these headlines to show management that your competition has been getting more secure.

John Pescatore

Between dropping crypto currency prices, and victims refusing to pay, the researcher in me can't wait for what attackers come up with next to monetize their efforts.

Johannes Ullrich

Practitioner's note: If you're not 100% confident that your cloud assets are appropriately secured from public access, test it! Try to access it from an account which shouldn't be able to access your instance/storage blob/assumed role policy. You may still miss subtle misconfigurations, but you'll catch the most egregious - like this one.

Christopher Elgee

Improper configuration of cloud resources is a preventable problem. The Center for Internet Security publishes and makes available for free foundation benchmarks for each of the major cloud service providers (Azure in this case). The benchmark contains security recommendations, and information on how to implement them, that improves the security posture of cloud resources.

Curtis Dukes

Classic "usability vs security" issue. Disabling full Secure Boot protection will cause more support queries from users attempting to use a boot loader / operating system not sanctioned by MSI or the OEM.

Johannes Ullrich

Organizations count on OEMs to ship their products properly configured. The troubling bit is that this configuration change, made by MSI, resulted in secure boot being irrelevant and users of the product were unaware. Lately, CISA has been talking about shifting the security burden (secure, transparent, and sustainable) from the end user to the vendor. Here’s an example where configuration control processes need to be reinforced and tested prior to shipping, else the security shift can become a potential supply chain attack.

Curtis Dukes

Impressive from Apple to release an update for hardware released 10 years ago. I wish more device manufacturers would offer fixes for critical security issues for older devices. On the other hand, I don't think Apple offers any guarantees as to how long updates like this are available for specific devices.

Johannes Ullrich

It is tempting to skip over this “evergreen” item – government agencies not implementing audit recommendations is not news. But, I have to point out that GAO/OMB always never seem to address the root problem of ” Why?” Instead, it is always an immediately jump to “a more comprehensive strategy” is needed at the top, vs. what really are the obstacles facing government CISOs and SOC managers who do want to improve cybersecurity and why some agencies *are* able to stay safe and score well.

John Pescatore

One would hope that implementing fundamental recommendations would obviate others even though it decreased the number of boxes checked. Checking boxes is not an efficient way to achieve quality. Unchecked boxes are not necessarily an indicator of poor quality.

William Hugh Murray

File integrity management is one of basic security hygiene requirements that actually works when done right. One key element is figuring out what are the actual show stopper files, not always just key executables.

John Pescatore

Defeating ransomware has three parts. Step one is making available best practice guidance to protect oneself from ransomware attack; see the ‘Blueprint for Ransomware Defense.’ A second step is not to pay the ransom; over the last year great progress has been made. The third step is removing the currency exchanges used by cybercriminals. Effort along all three parts is necessary, else the cybercriminal will continue targeting organizations.

Curtis Dukes