Microsoft Should Provide Full Security Logs for Base Software License Levels; Network Access Control Done Right Provides Foundation for Ability to Trust or Not; Zimbra Workaround Required While Waiting for Patch

A little over twenty years ago Bill Gates kicked off the now infamous Trustworthy Computing Initiative in Microsoft in response to security concerns over Windows. It’s now time for a similar Trustworthy Cloud Computing Initiative to be started in Microsoft, and other cloud service providers, to ensure security is built into the cloud services being provided and not provided as an optional extra with additional costs.

The cost savings from moving to the cloud have to come from somewhere. If you want full insight into who accesses your data, how, and when: stay on premises. If you move to the cloud, you better hope that cloud providers can keep their access keys secure as once they lose them, even the most expensive logging option is unlikely to keep you secure.

While there is call for tiered services for cloud offerings, log information should not be tiered: it should be available at all license levels, ideally with options to send it straight to your SIEM/SOAR platform. That said, if you're a Microsoft 365 customer, talk to your technical account representative about what level of visibility can be gained by having E5/G5 licenses for your security and tenant administration teams, vs. upgrading all users to those levels.

Microsoft should do this and make logging available to all users. It just makes security sense. Even if they don’t store any logs or make you pay for extra storage, the logs should be available and exportable to everyone. This level of goodwill will go a long way. Is this the generational Windows XP SP2 story, and will we talk about this in 10 years?

Back in 2021 Microsoft was in the news for the extra costs associated with Advanced Audit and the costs to store those audit logs. They offered a 1-year free trail to Gov Cloud users and… things quieted down. Fast forward two years and we’re talking about access to advanced logging, again. Here’s the rub: a security practitioner wants everything logged for when a security incident occurs; I can’t argue with that position. Yet, that logging comes at a cost to the company in both storage and the skills necessary to review. What really should be discussed is how the evil-doer got access to an inactive signing key. That seems to be the more serious security lapse on Microsoft’s part.

Running Network Access Control to check danger/vulnerability levels of anything connecting to you (a pre-requisite for talking about Zero Trust anything) gives you this kind of data on a continual basis. Forescout found 10% of EDR clients disable, often you seen 25% or more of patches did not actually take even though IT claimed all patches pushed out. Not running NAC is like putting a piece of black tape over that annoying “Check Engine Light” – cheap at the start, soon will require a much more expensive repair.

OT/IoT systems and components are well known for their vulnerable nature. Regardless of why, make sure that you're properly protecting them in your environment, with the predominant actions being segmentation, not exposing them directly to the Internet, active monitoring for unwelcome advances, and keeping them updated. Leverage vendor security best practices and listen your OT experts when they talk about their security framework, which may not resemble what you're used to but is designed to do exactly these things.

This is clickbait to advertise a product. IoT devices are insecure, and managing a remotely accurate inventory can be tricky. Adding "VPN gateways" only now, after they have been exploited for years and lead to major ransomware issues, shows how this list is not really all that meaningful.

This is Forescout’s third year publishing this report. The key takeaway for me is less about an annual list of the riskiest connected devices but more fundamentally, about knowing one’s environment. Knowing your environment includes inventory and control of enterprise assets (hardware, software, and data). Once you have that inventory you can protect (configure, patch, remove unauthorized) and monitor the enterprise – both IT and OT (if applicable). That’s why the Center for Internet Security prioritizes hardware, software, and data as the first three critical security controls.

Risk from these devices is a function of their vulnerability and their numbers. To use this study to reduce risk, patch those devices that you have the most of.

Zimbra didn't exactly release a patch. They released instructions to edit a file on your server. This isn't something remotely acceptable even though the edit is fairly easy.

The root cause is lack of input validation. The fix adds processing an input parameter with their escapeXml function. Go ahead and apply the manual fix, it's only editing one line, and doesn't require a restart.

Of the fixes Adobe released, three are for ColdFusion and twelve are for InDesign. CVE-2023-29300 (deserialization of untrusted data flaw) has a CVSS score of 9.8. While rolling out these patches, make sure the March update which included the actively exploited CVE-2023-26360 (code execution and memory leak) was also applied. At this point, you should have migrated off Cold Fusion. Check for any lingering instances, get them patched, then address the migration plan.

If you’re still a user of ColdFusion, given the CVSS criticality score (9.8), prioritize the download and patch now.

Alarmingly, plenty of large platforms still use ColdFusion.

This gathers up information you can leverage about five free tools you can use to cross-check your environment. The Cybersecurity Evaluation Tool (CSET), SCuBAGear, United Goose Tool and Decider are from CISA, Memory Forensic on Cloud is from JPCERT/CC. Consider handing each of these tools to an Intern to learn how to assess your cloud environments and see what they discover.

We find internal datasets and sensitive items in public cloud locations. I would love it if more people would send documents like this to general IT teams because the problem isn’t getting better.

JumpCloud has published the IoCs for this incident so you can cross check your own environment. https://jumpcloud.com/support/july-2023-iocs: July 2023 Incident Indicators of Compromise (IoCs)

See my Microsoft comment: If your cloud provider is compromised, you are compromised as well. But at least you saved a lot of money!

The JumpCloud response to this security incident should be applauded. While no one likes to fall victim to a spear-phishing attack, it happens. JumpCloud appears to have had a solid incident response plan in place, with auditable logging to assist in tracking adversary moves. They also appear to have been forthright in communicating details of the security breach.

Protect the enterprise from users that take bait by implementing strong authentication (to resist reuse of compromised credentials) and isolating browsing and e-mail from mission critical applications (to resist lateral spread of compromise.)

Expect continued pressure to meet GDPR requirements from European partners, including court cases being escalated to the European Data Protection Board where demands aren't met. The framework helps if you wish to leverage the new EU-US Data Privacy framework. But don't delay, October 10th is not that far off.

This is an important step in making the agreement effective.

Time to remind folks about being wary of USB drives bearing gifts, because, yes, it's still a thing. Consider media kiosks for transferring any information from "foreign" USB (or other media) to trusted media. Make sure you're monitoring USB use and that your EDR is not ignoring malware using them as a delivery mechanism.

With today’s connectivity, cloud access, and collaboration platforms, the need for USB drives has plummeted. But perhaps in certain regions of the world, they forego these more modern means and continue to use USB drives. The bottom line: miscreants will use whatever means available to compromise hosts.

We had been asked to do penetration testing work using USB drops recently. I guess this is something that is happening more frequently again. Is it because people are moving around and returning to work environments?

There are lots of tools, sites and services to help you implement (and validate) DMARC without causing career limiting disruption. If you're not already using DMARC with a 100% reject policy, pull that thread. While not foolproof, it raises the bar, reducing the volume of malicious messages users have to treat properly.

In a perfect world DMARC should be deployed by every organization. Simply put, it’s an excellent security capability. Unfortunately, many organizations, including healthcare, don’t have the resources and skills to implement and monitor a DMARC solution. The only way to close gaps as highlighted in the Proofpoint analysis is with sustained investment.

Any reason to hope that the adoption is any better in Europe, Asia, or the Americas?