US Government Moves Forward on Software Developer Security Attestation; Drive Software Vendors to Move to Memory-Safe Programming Languages; Apple’s First Rapid Response Security Update Has Value, Needs Transparency

There will be a lot of grumbling around this, but this has been the critical missing first step after years of talk (new strategies every 4 years) by the US federal government around increasing software security and very little movement forward. Software Bills of Material are not very useful if all the software is packed with vulnerabilities. A positive side effect of this will be more of those government agencies who have been unable to patch data center software will move to FedRAMP cloud services to avoid the attestation effort.

John Pescatore

The intent is to move the software industry to use secure design principles in product development – a good thing. That said, the government has to be careful not to ‘blacklist’ vendors as part of government procurement. Additionally, vendors may open themselves to increased liability should software defects be traceable to non-adherence in CISA specified design principles.

Curtis Dukes

If you're a software provider, take the time to review and comment on the proposed form. While it's not clear how one could require a 100% attested software base, it's going to be different for providers, which currently provide software to federal customers, to continue to do so without this attestation.

Lee Neely

Poor software quality has left us with an infrastructure that is expensive to use and a risk to our national, not to say global, security. This is a small step toward the minimum representation of quality that one should expect of any and all software vendors.

William Hugh Murray

Progress/plans towards moving the memory-safe languages is a good question to ask in all software RFPs.

John Pescatore

I applied this update to my iOS and macOS systems with little issue. The new update process is significantly faster. However, Apple did not release any details as to what vulnerability it exactly patched. I do not like "mystery updates." Some users reported difficulties downloading the update which may be related to Apple not being able to handle the large number of requests, and the rapid deployment. According to code found by researchers, Apple intends to apply this update across its user base in two days.

Johannes Ullrich

Many years ago, I had a chance to look at a DNA sequencing machine (not Illumina). I called it affectionately a "honey net." It consisted of a Windows, a Linux, and a Solaris system, in default configuration, with simple-to-guess passwords. The manual had a note about not connecting it to a public network. But the switch connecting the machines had an unused port to do just that. I always wondered myself if these machines are used for criminal forensics and if these vulnerabilities could affect the reliability of results presented in court.

Johannes Ullrich

Clearly, you need to install the provided update. But you also need to look at your network architecture. The flaw is being used to cause the device to listen on other network interfaces. With segmentation in ICS/OT networks, that should really be done with a purpose built router/firewall, not your endpoint. Additionally, make sure you're restricting access to those systems to only authorized components and users.

Lee Neely

I find the intersection of bio-medical/genomic technology and cyber security issues particularly fascinating and scary. This is definitely an area to keep an eye* on! *See what I did there?

Ed Skoudis

Yes, a critical (CVSS Score 10) vulnerability that warrants priority patching. That said two things going in favor of the defender: 1) a relatively small number of organizations involved in DNA sequencing worldwide; and, 2) ability to restrict access via the internet whilst prioritizing the patch.

Curtis Dukes

I found that the easiest and cheapest way to maintain perpetual free credit monitoring is to maintain a T-Mobile account. That said, based on one of these monitoring services I subscribe to (thanks T-Mobile for paying for it), my information already has been leaked four times so far this year (not just from T-Mobile).

Johannes Ullrich

Take a look at the HHS Breach Portal below for the number of cases under investigation for a hint of what the healthcare industry is working through. If you're in the healthcare industry, you should be talking to your ISAC, CISA or other industry partners not only to obtain tools and resources to measure your security but also to establish relationships you're going to need for incident response when it happens. If you know folks in the sector, reach out to them and see if you can help; they are likely feeling a bit like a punching bag.

Lee Neely

As a government entity, ransom payment was not an option, nor should it be. That means the organization must have a ‘rock solid’ incident response plan which is regularly exercised. What’s troubling though is, ten weeks later the system is still down. One wonders what the last GAO/IG cybersecurity audit found with regard to the US Marshal Service.

Curtis Dukes

Note the website below is their temporary site; their main site is also offline at this time. While they don't believe any EHR data was exposed in this breach, and they are rebuilding systems, they are also not convinced the attacks will not continue. Another case where they are following the BC/DR plan to restore services. Another repeat attack scenario, where discovery of what core changes can be made to stop recurrence is going to be a challenge. This is a case where stepping back to the basics, making sure you know what you have, what it is and is not supposed to be doing, that it is updated and configured securely and properly monitored and then build from there. Yes, use a structured framework such as the critical controls, to do this analysis, you're already stressed and distracted by the attack, take advantage of any help you can get to get to the other side.

Lee Neely

In this case, these banks have the same parent company and are likely using the same service provider for online and mobile banking. In the past we would have called this a service bureau or outsource. In the credit union industry this is called a Credit Union Service Organization. In all cases, these service providers, which lower the barrier to having all the desired functions and services for customers, also represent potential single points of failure, depending on how their services are architected. What a participating FI needs to do is ask how tenants are isolated, what the availability model is, and how they are protected from issues, ranging from DDoS and routing issues to ransomware or other cyber-attacks. Ask about options you have not currently contracted for, or may not have existed when you first started working together, then compare with their competition. It may be simpler to activate new security features than switching, but in some cases, their business/growth model doesn't align with yours and the best answer is to part ways.

Lee Neely

Given the connection between their IT systems and what's in those warehouses, taking out their IT systems renders their ability to manage what is in cold storage, as it were, nearly impossible, even though refrigeration systems appear to be operating perfectly. They expect to have workarounds in place this week. Until then, they are asking for no inbound shipments, and to limit outbound shipments to critical, namely driven by product expiration dates. An interesting challenge is building the system with enough centralization to run the business effectively while having enough resiliency and isolation to segment affected areas yet keeping the rest of the business operational.

Lee Neely