Make Sure This Week’s Chrome Patches Are Restarted and Completed; Google Says Cloud Threats Mitigated By MFA, Strategies for Patching Kubernetes Faster, and Essential Security Hygiene; Another Spyware Company Exits the “Law Enforcement” Market

A lot of times you hear advice to "update your browser" (I may have said that myself). For Chrome, and most other browsers, you never need to actually do anything to update the browser, but the browser will do it for you behind the scenes. Just make sure you fully exit the browser once a day to allow it to apply the update. Bad actors are using news like this to distribute malware via fake browser updates.

Check out the Chrome Enterprise settings to ensure that users are required to relaunch to finish the update process. Encourage users to click the relaunch prompt when shown rather than waiting for it to timeout, or your processes to intervene. Google reports an exploit for CVE-2023-2033 exists in the wild. Don't overlook updates for Chromium based browsers, Brave, Opera, Vivaldi, etc.

Since most browsers and even mobile operating systems push patches out constantly, “Emergency Fix” is pretty much an outdated term that largely only applies to Windows these days. Convince your CIO that all since all those cloud services you use are able to patch continually, the same should be true for data center and fat client apps.

The type confusion vulnerability allows remote code execution and should be patched immediately. Several years ago, Google greatly simplified the patch management process for Chrome, now mirrored by all major browser vendors. It’s as simple as closing and reopening the browser.

Browsers, the universal clients, are open, general, flexible, feature rich, complex, and vulnerable. Prefer purpose built clients for sensitive applications.

The takeaways: (1) Move away from reusable passwords; (2) You can and should patch Google Kubernetes Engine faster; and (3) Adding a few essential security hygiene practices to (1) and (3) will thwart/mitigate most attacks and allow you to concentrate on and more quickly detect more complex API and Living off the Land attacks.

This report, and many others, reinforce that the primary attack vector for criminals is via compromised credentials, if you haven’t done so by now you really need to look at implementing Multi-Factor Authentication for all systems, especially cloud based ones. Now is also the time to review your Identify and Access Management strategy to ensure it addresses current threats and risks.

The report finds that attackers are using more and more red teaming tools, which isn't a huge surprise. We've all spent a lot of energy being ready to detect the use of Cobalt Strike, because it's become a tool of choice for attackers; it'd be easy to overlook other red teaming tools as well as the ease of shifting their attack using cloud-based resources. Make sure that you're set for broad based detection and are prepared for a changing attack source. While your threat hunters are making sure they're on their A game, also make sure that your ICAM folks are as well, that accounts are being actively managed, reviewed and removed. Get rid of reusable passwords wherever possible. That account for that person who was invaluable but retired and will be coming back in a few months, so you keep it open - maybe reconsider that approach?

For those in the cybersecurity business, an excellent read. The strategic perspective was particularly informative as it highlighted the symbiotic relationship between cyber criminals and state-sponsored threat actors. The more troubling finding is that passwords and API compromises continue to be the leading method of compromise. Use MFA and the guidance provided by OWASP for API security.

Strong authentication continues to be the most efficient cybersecurity measure. While it has limits, it dramatically raises the cost of attack. Even when compromised, it permits only session stealing but resists session initiation.

Skewing old here, but when I worked for the US Secret Service in the 1980s, same issues existed: commercial entities would pop up claiming to sell “law enforcement technology” but they were really selling “criminal technology for detecting/thwarting law enforcement” technology. Like weeds, almost impossible to eradicate but still important to make it unprofitable to sell to criminals. This is one reason there are many fewer virtual “currency” exchanges than just a few years ago.

"Government Spyware" companies may have learned from the NSO Group's demise. Looks like they added the "Citizen Lab" scenario to their incident response playbooks, and are reacting with a more ephemeral business model. The talent behind these companies is likely going to reconstitute soon under a new name.

QuaDream's platform is called REIGN and is marketed to governments for "law enforcement" purposes. It is a suite of malware, exploits, and infrastructure designed to exfiltrate data from mobile devices. As long as governments are willing to purchase spyware like QuaDream's REIGN and NSO's Pegasus, companies like this will be in business. They prefer to have little to no public presence, discouraging employees from mentioning their employer in public or on social media, so when a disclosure like this crops up, they will go to ground, and I predict emerging in a new persona, with the same toolset.

Between the recently released EO and reports from Citizen Lab/MSFT, some spyware companies will find it difficult to stay in business. That said, the skillsets used by spyware vendors are in short supply; and there is increasing demand for those skills. It’s likely they will resurface in some other form; perhaps supporting sanctioned activities.

These documents work to relate cybersecurity to healthcare practices to help practitioners relate to the importance of the guidance. They are focused on relevant, cost-effective ways to raise the bar on cybersecurity as well as identifying top threats which can impact patient safety (social engineering, ransomware, data loss, network attacks of medical devices and lost/stolen equipment). Worth the time to read and leverage to work any gaps/omissions. If nothing else, use them to show decisions made to raise the bar were credible and necessary.

HHS has put together a compendium of cybersecurity practices for the Health Industry. It can be a little difficult to wade through with a main document, two technical volumes, and a separate resources/templates volume, but great awareness information nonetheless.

Healthcare remains vulnerable and a target of opportunity, in part because, HIPAA security guidance was not prescriptive. Strong guidance, prescription, is what is needed in healthcare.

In 2020, Space Policy Directive-5 (SPD-5) defined space systems to include ground systems, sensor networks, and space vehicles. This report builds on that, not only suggesting space systems be labeled critical infrastructure, but also recommending Congress provide NASA $15m per year with 25 FTEs to take on any added responsibilities as sector risk management agency. It's not clear if that amount, funding and staffing, is sufficient to solve the problem, but it is sufficient, if maintained, to move the bar in the right direction. Investment will be needed not only at NASA, but also partners such as JPL, who design and operate space systems. Moving the bar, particularly for existing space vehicles, will be both challenging and exciting.

The 2022 SANS Threat Report, based on Rob Lee’s portion of the RSA SANS Threat Panel, pointed out real world examples of space systems’ “dual use,” (military/commercial) meaning risk spills over to the commercial sector during conflicts.

No doubt, GPS has become critical to everyday life. When was the last time you used a map to navigate? As such, not surprising that we would want to designate satellites that enable GPS as critical infrastructure. That, perhaps, is the easy part. Now how does one protect those critical assets, some of which were launched into orbit over a decade ago?

Imagery is not quite as obvious as GPS and comms but has proven importance beyond foreign intelligence.

To incentivize participation, Fick is working to make sure that proper service credit is given to employees who chose to focus on technology and cybersecurity, versus traditional embassy job assignments, with the ultimate goal of every credible candidate for chief of mission or U.S. ambassadors having a demonstrated understanding and support for technology and cybersecurity. Fick is working to hire up, leveraging an expedited hiring process to hire another 25-30 civil service workers.

One hopes that ambassadorial level really means they are serious. That said, while training is important, it is at best a substitute for experience.

The Android flaw effects Android 11,12, 12L and 13, and the CISA advises patching by May 4. Realistically, you should have Android 13 as your minimum platform: it's been out since last August. This flaw, CVE-2023-20963, with a raw CVSS score of 7.8, is being actively exploited. Exploitation allows malicious apps to install or remove apps, grant permissions, and make some apps non-removable without user interaction. Note the macOS update added to the KEV is for 10.14.4, released in March 2019; you should be on macOS 12 & 13 at this point, not updating macOS 10.14.

With these vulnerabilities, the KEV catalog is now up to 918 entries, over 18 months. I have to ask again about the effectiveness of the catalog given no linkage to FCEB Agency compliance, other than periodic GAO or IG cybersecurity audits.