Take Advantage of GitHub Push Protection; Active Exploits Require Rapid Windows Patching; Check Employee Onboarding Processes Vulnerability to Targeted Attacks

Very nice and useful feature. Once a secret makes it into a git repository, removing it can be difficult. Even better to offer this as a free feature to all (paid users get some customization).

This is free for public repositories, requires the use of GitHub Advanced Security licenses at a list price of $21 per user per month for private repositories. That $300 per GitHub user per year should be considered a mandatory cost for to claim you are doing the Sec part of DevSecOps.

This is a free service to help detect any secrets you’ve inadvertently put in your repositories. Regardless of other mitigations you’ve implemented, adding one more, particularly one without a cost which is already integrated in the platform, is a no-brainer.

Feedback on the GitHub’s beta protection feature for paying customers was very positive. GitHub is now extending that protection feature to its public repositories. This benefits the greater software development and delivery ecosystem. Kudos to GitHub for placing security over profits with this decision.

Closing the hole Black Lotus is taking advantage of is a darn good idea. That secure boot flaw (CVE-2023-24932) along with the privilege escalation flaw (CVE-2023-29336) require local access to exploit, but with a significant number of remote and mobile/remote workstations in the environment these days, local access options have increased dramatically; you need to factor that into your evaluation of risk.

For Microsoft users, whenever you see the words ‘actively exploited’ in the security bulletin, immediately elevate its priority in your patch cycle.

In its opening to Google I/O, Google demonstrated the use of AI to extend the utility and usability of its other products and applications. One such demonstration was to improve the quality of code during the development process. Such use of AI should show up in a marked reduction in the number of patches. Traditional testing is not getting the job done.

Great transparency. Leaders in cyber security do not necessarily distinguish themselves by having no incidents, but by how they deal with them. That said: This incident shines a bright light on the problem of securely on-boarding employees. In particular with more and more remote work, handing out credentials and access, "bootstrapping trust," can be difficult.

Dragos doesn’t provide a lot of detail on the compromise of the onboarding process, but their top 5 recommendations point out that when moving up to MFA, important to think through how someone would attack your onboarding process: “Harden Identity & Access Management infrastructure and processes; Implement separation of duties across the enterprise; Apply the principle of least privilege to all systems and services; Implement multi-factor authentication everywhere feasible.”

Although Dragos revealed few attack details, it does provide an opportunity for organizations to review their onboarding processes. This has become important as today’s workforce is largely remote, elevating identity and access management as a key security consideration before granting access to corporate assets. This ‘near-miss event’ should be documented and added to a company’s risk management discussion.

While I prefer in-person verification and delivery of the initial credentials, we have all implemented workflows to allow for remote validation and credential issuance. Consider the scenario from Dragos and review your processes to see if there are ways it could be bypassed. Are there race conditions - e.g., your reusable password is used to obtain your MFA token, which could be modified to prevent abuse?

In the filing, the state of Missouri says it does 800 water service surveys per year and the EPA requirement would add 2-6 hours per survey per year, or roughly a full-time job for at least one employee – even though Missouri states it already requires public water systems to publish cyber risk plans. If those plans were already actively being reviewed for sufficiency and actual implementation (vs. just a box being checked that the plans were created), seems like a high estimate of added cost.

The lawsuits were to be expected; no one wants to give up their rights. But when it comes to critical infrastructure that protects the nation, it has to be shared responsibility. In a perfect world you would have a common, minimum cybersecurity baseline that every critical infrastructure sector agrees to and is measured against. Let’s move cybersecurity inspections from “do you have a plan?” to “I’ve implemented and actively monitor the baseline established.”

Part of the challenge is the estimated impact of the new required regulations, particularly on staffing. When faced with new regulations which appear to have a big impact like this, make sure that you’ve made sure the impact is just from the change in regulatory requirements and not from existing requirements you were not meeting which would undermine the believability of your objection.

Pretty gutsy move here. Sharp posed as an anonymous whistleblower when the company refused to pay his demands. Fortunately, Ubiquiti partnered with the FBI who were able to unravel the ruse and reveal the perpetrator. Good reason to include law enforcement, such as the FBI, in your investigation/response process.

This article reminds one of the saying “crime doesn’t pay”. It also highlights the importance for organizations to review their in-place controls to protect intellectual property. This is especially important when working with remote staff.

This is update 3 to SP 800-171, which applies to contractors processing government data. Most often in the DoD space. If you’re in this category or wish to be, review the guide and provide comments by July 14. The goal is to provide reasonable guidance to ensure that data is properly protected, not replace your existing framework or standards.

Of course "Controlled Unclassified" is a class. We need to be consistent in capitalizing the words "Classified" and "Unclassified" when they are being used as a term of art in a national security context.