Require Supply Chain Partners to Move to 2FA; Update Expo's App Dev Framework; More Mandates for 2FA

This works out to about a cost of AU $7 per customer record exposed, on the low end – especially when weeks of business disruption happened. This figure is likely to be revised upward in the future. The telling quote from their presentation on what happened: “Threat actor obtained privileged credentials via a third-party vendor to access our systems.” Eliminating reusable passwords on privileged accounts is also critical to supply chain security.

The announcement from Latitude is a good example of complete transparency to include being very specific on details. The announcement not only states that they now have a clean bill of health; no malicious activity since March 16th, enumerates their resulting costs from the incident but also informs customers they are not expecting to pay dividends for six months ending June 30, 2023.

OAuth is a complex standard, with a lot of options. The use of a standard framework like "Expo" is likely the only way you are going to get it right. A vulnerability in this framework should not be seen as a reason to not implement OAuth, or to switch frameworks (worst: create your own). Patch and move on.

The issue was in the deprecated proxy authentication options, which removed the need for deep links in apps for authentication. While a fix for Expo was released immediately, the long term fix is to stop using the deprecated functions/methodology. One of the tricky parts of using third-party code/libraries/etc. is making sure you stay on their current functions/methodologies. I know this hits the "if it ain't broken don't fix it" nerve; the problem is that if you don't update your implementation, you could be in a really uncomfortable position when they unsupported functions have discovered flaws and you can't just deploy the new version.

This is a necessary move, and some may say overdue. But those who say that PyPI missed the boat on the 2FA requirement: You probably never managed a large complex open-source project.

This is a good move on PyPI's part; they are working to provide assurance that the project you're downloading has only been updated by those associated with the project. You should enable 2FA today, ideally using a FIDO U2F authenticator or PublicKey credential; get ahead of the curve so you have options before the setting is enforced. PyPI is also working on short-lived tokens for upload and API tokens with offline attenuation.

PyPI should be applauded for moving it users to 2FA. The Center for Internet Security Control 6, Access Control Management, requires using multi-factory authentication (MFA) for externally exposed applications, remote network access, and for administrative access. MFA ensures users only have access to the data appropriate for their role. Well done PyPI!

Strong authentication is essential, not simply preferred, not optional, for infrastructure applications and services. Should be required, not merely offered.

It is always good to see companies fined when they have documented cybersecurity policies that say “We do X, Y and Z” but it turns out they really don’t do X, Y or Z. Too many audits and certifications are just data calls that never actually discover that the walk doesn’t match the talk. The good news for OneMain is the fine is only about $2 per customer and may help them avoid a large future breach that would cost $100 per customer.

The kicker is that after paying the fine, these deficiencies still need to be addressed. At core, make sure you are actively managing third-party risk: implement a cybersecurity framework that includes application, insourced, outsourced and cloud-sourced services. Document your risk decisions, and make sure that you're re-assessing controls: trust but verify. Where you're using automation, make sure you understand what's checked and that it covers your environment, e.g. checking only for Windows events misses activity on your non-Windows systems.

This is the second cybersecurity related penalty levied by a New York State department over the last week [see SANS News Bites Vol. 25, Num. 42]. In this case, OneMain Financial failed to fully implement the DFS 2017 cybersecurity regulation internally and, as part of its third-party risk management process. In both cases the state maintains that the company did not maintain a standard duty of care to protect customer information. Let this serve as a wake-up call that lack of a demonstrable cybersecurity program has consequences.

While certain regulations, such as the EU GDPR, require suppliers to notify their clients of a breach within a certain timeframe, you should ensure that you include breach notification requirements in all your contracts with your suppliers. This is to ensure you are made aware of a breach impacting the service provided to you so you can decide how best to manage it and not have the details published weeks if not months after the event.

While ABB was hit May 7th, they appear to have all affected systems back online, and have not yet detected any customer data being exfiltrated. This appears to be the work of the Black Basta ransomware gang, which targeted Active Directory. Black Basta appears to be financially motivated and has recently targeted organizations such as Yellow Pages Canada, Knauf, American Dental Association, Capita, Sobeys, and Rheinmetall. This is a good time to make sure that your domain controllers are both implementing the current security baseline from Microsoft and running current, supported versions.

Purveyors of ransomware continue to target both small and, in this case, large enterprises. Hopefully ABB will provide additional details of the ransomware attack in the coming weeks. We can all learn from this unfortunate event by understanding how the evil-doers were able to compromise ABB systems.

Three take-aways from the two-page unclassified fact sheet: 1) Hunt forward cyber operations to defend the nation are the new normal; 2) Increased use of global partnerships in the cyber domain to respond to attacks on the US and allies; and 3) Leveraging all of the nation’s extensive cyber resources as one, to protect the nation.

While the published strategy is a classified document an unclassified version is scheduled to be released this summer. Given the basis in experience, there will be strategies and lessons learned we can all incorporate. This also is designed to align with the Biden-Harris Cyber Security Strategy released in March which expands on recent cybersecurity legislation, and had as much as $65 billion in funding; one has to be careful layering on legislation and change faster than it can be implemented and incorporated into daily operations.

Good Operations Security (OPSEC) practice says do not expose anything that one does not have to. This certainly includes "strategy." We also know that all actions and plans are more sensitive than raw data, organized and analyzed data, or even conclusions drawn.

The "S" in IoT still stands for security and unsurprisingly, the groups launching Mirai and similar botnets are going to expand their arsenal as new vulnerabilities are disclosed.

The team at Unit 42 are identifying this malware as Mirai variant IZ1H9, one of the most active Mirai variants, which uses these vulnerabilities to spread itself over HTTP, SSH and Telnet protocols. The first line of defense is to make sure that patches and updates are applied to your routers and firewalls. Then make sure that remote management is either disabled or limited to authorized systems and users. Couple those actions with NGFW attack and anomaly detection as well as mitigations such as URL and DNS filtering to block C2 services to raise the bar on your systems.

The light bulb comes on when I read "vulnerable installations" - yeah, time to make sure we're not only applying patches to the OS and IIS servers, but also scanning for misconfigurations. Make sure that you're scanning around your WAF to see any weaknesses it's masking as you want to fix them, just in case the WAF misses something. Lastly, make sure that your developers are sanitizing every single input. (I heard that eye-roll!) No matter how arcane, if it's a value provided by the browser, your developers must assume it can be manipulated and is not trustworthy.

What’s particularly concerning is the fact that Lazarus Group is exploiting known vulnerabilities or misconfigurations with Windows IIS servers. If the vulnerability is known, a vendor patch is available or mitigation strategies are available. Do two things: 1) patch the vulnerable servers; and, 2) configure those servers using freely available Center for Internet Security benchmarks.

This is not the preferred way to find deficiencies in your cybersecurity. Make sure that you're following requirements related to data you're processing and storing, to include record retention limits. If you're involved, even peripherally, in processing payments or payment card data, make sure you've checked with someone who really knows PCI-DSS on what you need to be doing. A 3–5-day assessment, from a third-party, will cost far less than a breach or regulatory fine.

Sports Warehouse is the second cybersecurity related penalty levied by the New York Office Attorney General in the past week. The agreement requires establishment of an information security program as well as requiring specific cybersecurity controls. Between the Attorney General and the Department of Financial Services, New York is sending a clear signal that businesses operating in the state must demonstrate a cybersecurity standard duty of care else they will be held accountable.