US Government Moves Forward on Software Developer Security Attestation; Drive Software Vendors to Move to Memory-Safe Programming Languages; Apple’s First Rapid Response Security Update Has Value, Needs Transparency

There will be a lot of grumbling around this, but this has been the critical missing first step after years of talk (new strategies every 4 years) by the US federal government around increasing software security and very little movement forward. Software Bills of Material are not very useful if all the software is packed with vulnerabilities. A positive side effect of this will be more of those government agencies who have been unable to patch data center software will move to FedRAMP cloud services to avoid the attestation effort.

The intent is to move the software industry to use secure design principles in product development – a good thing. That said, the government has to be careful not to ‘blacklist’ vendors as part of government procurement. Additionally, vendors may open themselves to increased liability should software defects be traceable to non-adherence in CISA specified design principles.

If you're a software provider, take the time to review and comment on the proposed form. While it's not clear how one could require a 100% attested software base, it's going to be different for providers, which currently provide software to federal customers, to continue to do so without this attestation.

Poor software quality has left us with an infrastructure that is expensive to use and a risk to our national, not to say global, security. This is a small step toward the minimum representation of quality that one should expect of any and all software vendors.

Progress/plans towards moving the memory-safe languages is a good question to ask in all software RFPs.

Moving to languages with more built in security protections is a great thing. I, for one, welcome our new Rust overlords!

I’ve been a fledging Rustacian for a while now. Rust is one of these languages that proves you can have speed and memory safety. In my opinion, every language has its use cases, and Rust is designed to replace some of the more commonly exploited software packages, from JavaScript engines to systems languages. The learning curve, however, is steep.

Something like 70% of the Windows CVEs are memory related. Moving from C++ to a memory safe, newer, programming language, in this case Rust, is good as you're not only using a language that has modern memory protections, but also forces re-evaluation of code, providing the opportunity to not carry forward sins of the past.

This is an exciting announcement and is a small, first step to memory safe code. That said, we’re still at least a decade or more away from seeing the Windows operating system written entirely in Rust.

Rust is a major improvement in our software development tools. By improving object type enforcement, it addresses the source of many of our software problems. Kudos to those who have contributed to it. Amazon, Google, and Microsoft lead a long list of corporate sponsors. Look for your suppliers on that list.

I applied this update to my iOS and macOS systems with little issue. The new update process is significantly faster. However, Apple did not release any details as to what vulnerability it exactly patched. I do not like "mystery updates." Some users reported difficulties downloading the update which may be related to Apple not being able to handle the large number of requests, and the rapid deployment. According to code found by researchers, Apple intends to apply this update across its user base in two days.

I am on Apple Beta on several devices, so I have installed some rapid updates while in beta. These are sorely needed. They generally take less than 5 minutes to install. The first time it happens, I think many Apple users will be afraid to hit “install” because it’s never been a quick thing, but after a while, it should be simple for everyone. On a side note, this is not the conversation we would have with Android, as currently, it would revolve around “Are updates even available for my device?”

It’ll be interesting to see how quickly people and organizations deploy this, given the lack of details about the issue and some bumps in the road to installation. I think it’s a worthy experiment by Apple. I do hope they will report numbers and a timeline for how quickly users applied this update.

These updates, which I've seen in the Beta programs for iOS, are really slick, they are small, download and install quickly, which means it's a really low impact on end users, who can even install them over cellular data because of the small size. These rapid security response updates are available for iOS 16 and macOS 13 only. If they could change the trend of bundling new features and security updates, pushing low impact quick updates to users monthly would go over well with users and facilitate keeping devices updated.

Over the past couple years, we’ve seen an increase in active exploitation of Apple products. The Rapid Security Response feature is Apple’s response. It’s too early to tell if the feature will streamline patch management or create additional user headaches in the form of update fails.

Though I had "automatic updates" on, I had to initiate the update manually. No problems. Very fast update; minutes rather than the usual tens of minutes.

Many years ago, I had a chance to look at a DNA sequencing machine (not Illumina). I called it affectionately a "honey net." It consisted of a Windows, a Linux, and a Solaris system, in default configuration, with simple-to-guess passwords. The manual had a note about not connecting it to a public network. But the switch connecting the machines had an unused port to do just that. I always wondered myself if these machines are used for criminal forensics and if these vulnerabilities could affect the reliability of results presented in court.

Clearly, you need to install the provided update. But you also need to look at your network architecture. The flaw is being used to cause the device to listen on other network interfaces. With segmentation in ICS/OT networks, that should really be done with a purpose built router/firewall, not your endpoint. Additionally, make sure you're restricting access to those systems to only authorized components and users.

I find the intersection of bio-medical/genomic technology and cyber security issues particularly fascinating and scary. This is definitely an area to keep an eye* on! *See what I did there?

Yes, a critical (CVSS Score 10) vulnerability that warrants priority patching. That said two things going in favor of the defender: 1) a relatively small number of organizations involved in DNA sequencing worldwide; and, 2) ability to restrict access via the internet whilst prioritizing the patch.

I found that the easiest and cheapest way to maintain perpetual free credit monitoring is to maintain a T-Mobile account. That said, based on one of these monitoring services I subscribe to (thanks T-Mobile for paying for it), my information already has been leaked four times so far this year (not just from T-Mobile).

I'm not sure that saying "this breach only impacted 850 customers" will make the 37 million impacted by their last breach feel any better. This is breach number seven since 2018, a little better than one per year. When you find yourself in a scenario such as this, you probably have a different root cause, likely cultural, which needs to be fully addressed before you can stem the tide. If you're a T-Mobile customer, make sure you're enrolled in credit monitoring, update any account PINs and make sure you don't have any nefarious activity associated with the account or payment methods.

How many times has T-Mobile been breached? I can’t even count at this point; it seems to be an almost yearly event, even though it's not. This time it appears to be rather small at under 1000 users. With T-Mobile’s size being so large, you have to wonder if the customers even care at this point at this.

I suspect after this breach notification T-Mobile will spend a bit more time on securing its infrastructure vice it’s focus on the magenta color.

Take a look at the HHS Breach Portal below for the number of cases under investigation for a hint of what the healthcare industry is working through. If you're in the healthcare industry, you should be talking to your ISAC, CISA or other industry partners not only to obtain tools and resources to measure your security but also to establish relationships you're going to need for incident response when it happens. If you know folks in the sector, reach out to them and see if you can help; they are likely feeling a bit like a punching bag.

Unfortunately evil-doers continue their assault on the healthcare sector. Until we find ways to automate security for the cyber underserved, they will continue to be targeted by ransomware gangs.

As a government entity, ransom payment was not an option, nor should it be. That means the organization must have a ‘rock solid’ incident response plan which is regularly exercised. What’s troubling though is, ten weeks later the system is still down. One wonders what the last GAO/IG cybersecurity audit found with regard to the US Marshal Service.

As near as I can tell, they are building a new version of the system, from the ground up, with enhanced security. This identifies a challenge you may face in this scenario - do you rebuild (completely) or do you restore, repairing any issues to restore services. Delivering IT projects, with security and functionality in place, at a given release date is challenging on a good day. Develop your risk acceptance criteria in your tabletop or other BC/DR activities so you're not making this decision "flat footed."

Note the website below is their temporary site; their main site is also offline at this time. While they don't believe any EHR data was exposed in this breach, and they are rebuilding systems, they are also not convinced the attacks will not continue. Another case where they are following the BC/DR plan to restore services. Another repeat attack scenario, where discovery of what core changes can be made to stop recurrence is going to be a challenge. This is a case where stepping back to the basics, making sure you know what you have, what it is and is not supposed to be doing, that it is updated and configured securely and properly monitored and then build from there. Yes, use a structured framework such as the critical controls, to do this analysis, you're already stressed and distracted by the attack, take advantage of any help you can get to get to the other side.

While our focus is usually on the healthcare and education sector, here’s an example of an apparently well-resourced IT service organization that suffers not one, but two cyber breaches over the course of a few months. One does wonder whether the evil-doer was ever really ‘booted’ from the network after the first breach.