You Need to Patch Ivanti Sentry/MobileIron Again; Delete Extension When Chrome Safety Check Alerts; Patch WinRAR ASAP

Ivanti's MobileIron products continue to be under scrutiny for bugs, and to their credit, Ivanti is jumping on fixing them quickly. Ivanti Sentry acts as a gateway for Active Sync and can also be a Kerberos Distribution Center Proxy (KKDCP) server, meaning it's a critical control point in allowing data and kerberos tickets to flow to your mobile device fleet. The flaw, CVE-2023-38035, authentication bypass, CVSS 9.8, lies in the configuration APIs on the MobileIron Configuration Service. Make sure that MICS, port 8443 is NOT exposed to the Internet, (restrict internal access as well), and get that patch deployed.

This is a double-edged issue where you have a critical component (MDM) with a manufacturer that at one point was the leader in the MDM space, combined with API authentication flaws which are very common in Web Applications. This is a good case study: If an attacker can get in your MDM they have access to plenty of your infrastructure to continue on. They can even deploy their own backdoors.

This is one of those security features (like certificate revocation checking) that most of us thought were just built-in to browsers. After all, grocery stores quickly notify us that certain brands and date rangers of bagged lettuce were found to have e-coli. The first move in the browser world is almost always forcing the user to check and take action but Google has a good track record of fairly rapidly moving to automating security features to switch to only requiring user action to overcome security vs. enable it.

You have to imagine this was probably a bigger issue than we were led to believe if the Google team created this feature. Watch your extensions closely.

This feature will alert on three conditions: the item was marked as malware, the extension was taken down for violating Chrome Web Store policy or the extension was unpublished by the publisher. Suspect items will be available for review in the privacy and security section of the settings page under safety check.

As consumers, we often add extensions to our browser without a second thought. We then forget about the extension and its potential as a security risk. This safety check will give consumers pause to periodically check what extensions they have installed. Kudos to Google for continuing positive security changes to Chrome that quickly become standard features for modern browsers.

Back in January, planes in the US couldn’t take off because a required Notice to Air Missions file that pilots needed to check before taking off had become corrupted. Microsoft quickly handled this self-inflicted wound to Hotmail, but a good reminder that File Integrity Management for a handful of files is a critical security process.

Now that we've implemented SPF, DKIM and DMARC, it's important to keep those updated and configured properly so legitimate email flows, as well as bogus messages are rejected. Consider the use case where you have a new service provider which is going to be sending messages on your behalf, from one of your email addresses, make sure your email and DNS teams are in the loop prior to having a "feature rich" announcement.

Microsoft, specifically on the “Microsoft account side” where the keys could have been compromised, and all the scrutiny around this, needs to have a few months of being out of the news for incidents. I’m hoping they can figure out what’s happening at that group to keep causing issues.

The last few weeks have been difficult for Microsoft’s image as a ‘security first’ company. We’ve had the yet to be explained loss of a critical signing key, and now a configuration change that resulted in a corrupted DNS file. Perhaps it’s time for Microsoft to revisit its configuration control processes.

Looking at most healthcare security incidents (and really most security incidents in all verticals) flaws in processes and people skills (which are needed to develop and implement effective and efficient processes) are 99% of the time what enabled the attack to succeed. There are definitely unique challenges, especially in the US, in how healthcare is funded, staffed and delivered that could benefit from innovation in how technology can be more usable in life and safety environments.

Technology advances create efficiencies in delivery of vital services. Unfortunately, when a ransomware event occurs, technology becomes the Achilles’ heel for organizations, and they are left to reconstitute business operations using manual processes. This is certainly true in the healthcare sector. In the short term the most effective protection against ransomware is adequate funding for basic cyber hygiene using an established cybersecurity framework such as the CIS Critical Security Controls.

As healthcare providers are often on a tight budget, this is a chance to get needed funding to implement security measures. Anything we can do to raise the bar for the healthcare industry will help; there is no indication that there will be a reduction of attacks focused on this sector.

Well-intended if somewhat speculative. In the meantime, encourage strong authentication and isolation of mission critical patient facing (clinical) applications from high risk Internet facing (e-mail, browsing) applications.

Exploiting CVE-2023-40336 could result in approval of unsandboxed scripts resulting in unsafe execution. Two of the flaws, CVE-2023-40342 and CVE-2023-40346 are due to improperly escaped content. Long story short install the updated components: Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5.

Products like Jenkins that are sold to implement Continuous Integration/Continuous Delivery pipelines have features like SafeReStart and Quiet Start that enable pipelines to be seamlessly and safely resumed – great candidates for fast patching!

Given Jenkins use in automating software development and delivery pipelines… you know the drill, patch now.

The recent SEC rule changes mandate notification within 96 hours for public financial institutions that suffer a material breach. The NCUA is requiring notification with 72 hours for ‘reportable’ cybersecurity breaches. Let’s not argue the efficacy of 72- vs 96-hour notification, but rather, harmonize on a single reporting standard for the financial sector, and perhaps every industry sector.

If you're on a CU board, ask your CEO for details on what they consider the thresholds are for reportable events and if they are clear on who is responsible to report and how. Then determine what notification you, as a board, expect. Remember you're governing, not operating.

Fairly obvious requirement, good definition of what triggers the requirement, reasonable time.

Nothing definitive yet. Keep an eye on their web site for updates on what was breached and current state.

Think supply chain.