FAA to Strengthen File Integrity Management; Zero-Days Mean Expediting Patching Windows Now; Find and Patch Vulnerable ClamAV Instances

Let’s be clear: the issue was not contractors, it was the failure by the FAA to realize that pilots accessing NOTAM information was a go/no-go for flying and that any changes/update to the data files was a potentially disastrous event. File Integrity Management tools and processes have been around for a long, long time but often are not used on the files and executables that need to be the most resilient.

John Pescatore

In a hearing before the US Senate Commerce Committee, the Federal Aviation Administration’s (FAA’s) acting administrator Billy Nolen said that the agency has taken steps to help prevent a repeat of the January 11 Notice to Air Missions (NOTAM) system outage. Nolen told the panel, “After the incident, we implemented a synchronization delay to ensure that bad data from a database cannot affect a backup database. Additionally, we have implemented a new protocol that requires more than one individual to be present and engaged in oversight when work on the database occurs.”

Lee Neely

It still comes down to people, process, and technology. People: were the contractors, and FAA personnel for that matter, sufficiently trained to understand and maintain a critical flight system used by the aviation industry? Process: was the update sufficiently QA’ed/tested prior to implementing on both active/backup NOTAM system? Technology: let’s not forget, the NOTAM system is 30 years old; it can be difficult to find qualified engineers to maintain. Which brings us back to people.

Curtis Dukes

This is obviously justification for the continuing need to shorten time to patch, but I’d like to see Microsoft come forward with a “why these vulnerabilities were there and what we are doing to reduce the odds of something like this happening again, and here are Microsoft’s plans for making easier for our customers to more quickly patch flaws found in our products.”

John Pescatore

While it’s pretty much SOP to push these updates expeditiously, use the zero-day fixes to counter any attempts to delay the rollout. Note that MS is in the NIST KEV with a 3/7/23 due date you can leverage.

Lee Neely

Three actively exploited vulnerabilities will demand immediate attention by IT staff. It does beg the question: What has changed, if anything, with Microsoft’s security development lifecycle (SDL)? Microsoft rightfully changed the software development landscape with the introduction of SDL back in 2004. Is it time for a new security development lifecycle push within the industry?

Curtis Dukes

Do not overlook this vulnerability. ClamAV is often embedded in other products without explicitly declaring its presence. Watch out for related updates from various vendors. The vulnerability affects HFS+ files. This file type, an older Apple file system, may not be used in your environment, but the target is the antivirus scanner that may scan the file (and expose itself to exploitation) regardless of you using or not using the file type.

Johannes Ullrich

The flaw lies in the HFS+ scanning engine and Cisco has updates. There are no workarounds. Cisco categorizes this as a critical flaw: make sure your team has a definitive plan for addressing affected components that fits your policies and risk tolerance.

Lee Neely

There is a lot of talk about various car related vulnerabilities, but this issue is actually widely exploited and must be patched quickly. It also illustrates the difficulties of rolling out these patches for cars that were never meant to receive regular software updates.

Johannes Ullrich

The software update, which includes a window sticker indicator that the vehicle has anti-theft protection, will replace the efforts to deliver steering wheel locks to owners. The changes will take a bit to deploy, so you may want to check with your local law enforcement for a steering wheel lock to use until the update is deployed to your vehicle.

Lee Neely

A new play on social media platforms… a guide to vehicle theft. Three observations: 1) perhaps a bit more content moderation by TikTok; 2) extending the alarm sound, surely to be a hit in the neighborhood; and 3) of course the software update will be free; it’s about brand protection.

Curtis Dukes

Since car alarms have such high false alarm rates, I doubt doubling the length of the annoying noise will reduce theft rates. But, requiring the keys to be in the ignition before the engine starts is just another example of strong authentication being a “key” requirement…

John Pescatore

It is time to retire Internet Explorer (IE). It has secured its place in the history of the world wide web and more modern browsers exist today – Edge being one of them.

Curtis Dukes

Edge still has an IE 11 compatibility mode you can leverage. Better still provide a sandboxed browser for applications which still require IE 11. (And have a frank talk with your vendor/etc. about getting on current browsers. ) IE 11 support was pretty much done last June. While Edge will support IE 11 mode through 2029, you really don’t want to be locked into that with changes to user technology and other browsers you’re going to want to adopt.

Lee Neely

At some point software becomes obsolete. While it takes courage, at that point it should be withdrawn from use by both the vendor and the users. That is particularly true for frequently patched code and for code where newer functionally equivalent code exists.

William Hugh Murray

The “at least $150M so far” works out to about $250 per patient which is already high for a breach of this size. The phrase “cybersecurity incident” was listed a dozen times as the major reason for missing financial projections, and CommonSpirit Health stated they haven’t yet received any compensation from their cyberinsurance carrier.. Even after any compensation there, this will be another example of cost to avoid being much less than the real financial impact of an incident.

John Pescatore

his attack could be much worse. They serve 20 million patients, so this is about 3 percent. Capturing the full cost of an incident is tricky as you not only have recovery costs but also costs of incorporating alternate or workarounds and loss of existing and future business. Don’t let cost accounting distract you from building and testing DR plans; the better those are, including your ability to execute them, the cost and time to recover will be reduced, mitigating some of the non-IT costs/business impacts.

Lee Neely

Ransomware attacks affect every industry vertical and this journal article presents an excellent case study for board and company executive teams. Leadership teams often debate the cost of cybersecurity tools against profit margins. Let’s be clear: the cost of an effective vulnerability management program is far less than the cost of incident response, recovery, and impact to the company brand.

Curtis Dukes

Threat actors exploited a vulnerability in their file transfer system which has a patch from February 7, 2023, and needs access to the administrator console to exploit. While we can’t know what vulnerabilities are present or be discovered, we can secure access to administrative consoles to make it hard for threat actors to exploit as yet unknown weaknesses. You can also monitor those accesses, following up on any anomaly.

Lee Neely

The attack that affected Community Health Systems turned out to be a zero-day exploit. ‘Zero days’ are difficult to defend against until the vendor issues a patch. While that is of little solace to the million or so affected, the company did act responsibly once notified of the attack.

Curtis Dukes

’d like to see the DHS Office of Inspector General do an audit to make sure the software upgrades and the cryptographic verification is actually implemented correctly and working. Maybe it took 16 years to do just that, and the initial use on 3 million visitors did find 12 fraudulent actors, but crypto is easy to do badly and performance in production should be verified before trusted.

John Pescatore

This has been operating since June, after a mandate three years ago by two senators for CBP to implement the system as the e-passports had been issued for years. It is intended to catch people traveling with forged documents. It’s also designed to be less intrusive than facial recognition. Thus far, 12 fraudsters have been caught and the only challenge is recognizing e-passports issued by Andorra, a small country of about 80,000 between France and Spain.

Lee Neely

Even if you’re not bound to the KEV to report on addressing vulnerabilities, it’s a good idea to keep an eye on it as it highlights vulnerabilities being actively exploited in the wild, along with the needed fixes, so there is no reason you can’t be prepared to resist those attacks. Advisories are also looking at that catalog, so maybe don’t wait for the due date to implement fixes?

Lee Neely