Carefully Test and Apply Intel Critical Patches; Google to Release Chrome Patches Weekly: Push Other Vendors to Follow; NIST Releases Updated Cybersecurity Framework

With all the updates we’ve seen for Chrome, it’s not a huge surprise to see weekly updates to keep ahead of the curve. At this point you should have your browsers set to automatically update with a forced relaunch in under 48 hours, so you’re just verifying the updates are in place, rather than spending time packaging and deploying.

Kudos to Google for their efforts to steadily close the patch gap for one of their products. While not perfect (but then what is with cybersecurity?), it does force the evil-doer to work harder in developing and executing an exploit. The change to weekly security updates should have little to no impact on the user.

And almost no applications will be harmed by this progress.

A Time to Detect of 14 months for a critical national system is a huge failure in security operations. The Commission states they have taken needed mitigation steps (such as “We have strengthened our network login requirements…”) and improved monitoring – perhaps that explains why disclosure took 10 months.

This was an attack on election support systems, rather than devices at polling places, which included information about voters and their choices for opting/out of data sharing. The nine month delay of public notice from the Election Commission hints they don’t have good data to fully determine the extent of the breach. Make sure that your team has sufficient information, not only about what sort of data is on which systems, but also forensic data is being forwarded and available for analysis, to include both system and application logs.

Three things are bothersome about this data breach: 1) 14 months for the UK Election Commission to determine they had suffered a cyber incident; 2) nine months for the UK Election Commission to notify residents of the loss of PII; and 3) the e-mail server was exploited 12 months before the critical ProxyNotShell vulnerability was publicly announced; is this patient zero? None of these numbers inspire confidence in the Election Commission’s ability to protect UK citizen data.

Mirroring my comment on last month’s Microsoft Vulnerability Tuesday patch release: If you set your “must patch ASAP” threshold very high (9.8 CVSS base/8.5 temporal), 3 of the 88 Microsoft flaws require immediate attention. If, and you should, you add “anything already being exploited” that adds 2 more for a total of 6. Obviously, all patches should be applied but triaging to get the most dangerous ones done ASAP needs to be the strategy.

The critical updates also include Office components such as Teams and Outlook. Rather than worrying about which update meets the CISA requirement, push the entire update, focused on timely deployment as there are actively exploited flaws being addressed.

Maybe it’s me, but it seems as though the monthly patch cycle has become predictable. I mean, tens of security issues announced, check; CISA adds to the growing KEV catalog; check; FCEB agencies are given 30 plus days to mitigate, until they waiver; check; and, evil-doers continue to attack; check. Until ‘secure by design’ principles become routine, follow the standard security advice by prioritizing critical vulnerabilities first, as part of your patch cycle.

The PDF of the strategy linked below is 21 pages in length. It will serve as a model for other states. A video of the Governor's introduction of the strategy can be found at https://www.youtube.com/watch?v=fQCtwcvmuks. While the drafting of the strategy was done at the NY Department of Financial Services (DFS), in her presentation the Governor demonstrated a remarkable grasp of the issues confronting the State and the Nation, ownership of the strategy, and a commitment to it. Well worth the thirty minutes.

The list of stakeholders appears broad enough, including city, county and state organizations, as well as New York State based offices of Homeland Security and military which raise the odds of success. This could be a model for others to follow.

Congratulations to New York State for publishing their first cybersecurity strategy. The true measure will be in how well they implement the strategy.

The good news is these types of law enforcement takedowns are no longer really newsworthy, any more than many other non-cybercrime law enforcement actions. But, much like newspapers still print (or publish online…) listings of restaurants that get shut down for health code violations, breached businesses should always be newsworthy to support smarter decisions both by buyers, and ideally proactive action by sellers and service providers.

It is encouraging to see continued progress on shuttering attack-based PaaS operations. While replacements will likely emerge, continued success in taking them down will hopefully give operators pause before establishing them.

Never underestimate the ingenuity of criminals to monetize all facets of a cyber operation.

There is as much as $20 million in funding from DARPA to create next generation cybersecurity tools in response to emerging AI capabilities. There will be follow up events at BlackHat and DEFCON for participants in the challenge. While there was a message of caution in the preceding BlackHat keynote on AI, this research is designed to tease out not only where we can go with AI, both mitigation of risks and leveraging capabilities to aid our cyber responders.

One hopes that this program will produce a new generation of tools rather than simply admiration of the problem that so often passes as research. IBM has been applying AI to the security of some its customers for several years. Their work demonstrates practical and efficient tools.