Check and Protect Any Basic Service Domain Service Accounts; Academic Institutions Need to Evaluate Impact of Latest MOVEit Breach; Get Assurances From Cisco on Splunk SIEM Futures

A detailed report but vague on the actual root cause, only saying “…initial access utilized the basic service domain service account, connecting to a server,” Phishing was never mentioned, could be a default account left unchanged. The compromise and over 1 TB of data exfiltrated were not noticed until the ransomware demand. The report noted that the IT security budget was about 2.5% of the IT budget, not unusual at the local level, though Dallas is a big city – but that level of spending is only usually sufficient when IT operations (configuration management, patching, upgrading, etc.) is very mature and that does not seem to be the case. The total cost of the incident was about $8. 5M or about $300 per record. As usual, the cost of avoiding this would have been much less than the cost of the incident.

John Pescatore

Kudos to the City of Dallas for providing an After Action Report (AAR) of the ransomware incident that affected city services. This AAR helps others understand attacker initial access, traversal mechanisms and injection of command-and-control software. The report further validates that attackers use available network management tools to fully map the network and determine location of data repositories. What’s unfortunate is the cost of cleanup (initially 8.5M) when a focus on basic cyber hygiene (patching, secure configuration, monitoring) could have preempted or limited the effects of this cyber incident.

Curtis Dukes

This is consistent with the current model of acquiring access, mapping the system fully, quietly, before exfiltrating and encrypting everything. Gaining access to a legitimate account continues to be a solvable problem. Beyond making sure you deploy MFA, particularly to privileged accounts, you need to ensure SOP includes shutting down inactive accounts judiciously, particularly those for employees who have left or retired. Make sure that maintenance accounts are only active when actually being used for maintenance. Also be sure to regularly scan for breached passwords in use in your environment and actively change them.

Lee Neely

A key part of a mature incident response process is learning from the incident. This report is a great opportunity to learn from someone else’s incident and to identify ways you can better protect your organization. Kudos to the City of Dallas for sharing this information so others can learn and better protect themselves.

Brian Honan

The compromise of a single account, no matter how privileged or reusable, should not be sufficient to compromise an entire enterprise the size of the city government of Dallas. Strong authentication, privileged access management, and network segmentation are essential in any all enterprises of that scale. If $8.5M is the cost of the cure, then the proportional cost of prevention should have been adequate to implement those three essential and efficient measures. If those measures are not in place in your enterprise, document the reasons and the decision not to implement them. The authority of the official saying not to implement them must include the discretion to implement them.

William Hugh Murray

The best move if you have a MOVEit service is to assume compromise and replace it. That may be easier said than done, so in the interim, make sure that you're hunting for those IoCs and have not only instrumented the service but also have active monitoring and playbooks at the ready.

Lee Neely

With over 2,000 victims of the MOVEit vulnerability, data breach notifications will continue for months. In this case it’s not only the National Student Clearinghouse that is affected, but also other organizations that use its services. No time like the present to avail yourself of the free credit monitoring services offered.

Curtis Dukes

Almost ancient history, but does anyone remember Cisco MARS? Cisco has been in the SIEM market before through licensing of software from netForensics and then by acquisition of Protego over 15 years ago. If the acquisition goes through (possibly the 5th biggest software acquisition in history), Splunk customers should get assurances and roadmaps from Cisco on how Splunk’s SIEM leadership will be increased and maybe even new pricing approaches.

John Pescatore

Standardized reporting requirements increase the likelihood incidents will be reported, reduce duplicative reporting and will help those processing those reports to better understand them. The next steps are for continued feasibility studies on the adoption of these recommendations, hopefully resulting in a new standard with an adoption timeline, hopefully in FY24.

Lee Neely

It seems as though the US Government has caught the ‘harmonization’ bug. We have the ONCD RFI on cyber regulatory harmonization and now cyber incident reporting harmonization. Anything we can do to simplify the requirements asked of industry when it comes to cyber incident reporting is a good thing.

Curtis Dukes

We have seen a lot of positive efforts aiding states and localities in assuring the integrity of the equipment they are using during elections. Many lessons were learned about process issues, as well. Both need to be addressed. Good to see the IT-ISAC and CIS pushing this forward.

John Pescatore

This is the first time that election equipment manufacturers have made their products available for testing outside of the normal EAC sponsored Voting System Test Laboratories. It allowed select, independent researchers to test outside the confines of the EAC voting equipment certification process. Kudos to IT-ISAC for sponsoring the forum.

Curtis Dukes

Continued progress to secure the IT used to collect and count votes is a step in the right direction, to include embracing secure configurations and pen testing. Once secure configurations are vetted and deployed, processes for keeping them updated and validated will need to be developed. Note that automation includes not only polling places, but also centralized tabulation and processing of absentee ballots. This still leaves election officials the challenges of getting voters to turn out, and making sure votes are genuinely cast by registered voters.

Lee Neely

The requirements for ballot secrecy, early reporting, and a high level of public trust in the results makes the US Presidential election system what we in IT call a hard problem, largely because there are thousands of local solutions. We should not leave their quality wholly to chance. This is an important initiative in solving the hard problem.

William Hugh Murray

Stack exhaustion or causing the daemon to crash are sub-optimal unless you're the attacker. While neither of these are being actively exploited, with the preponderance of DDoS attacks, you're going to want to update to BIND version 9.18.19 or preview edition 9.18.19-S1 soon.

Lee Neely

It’s unfortunate that Kia and Hyundai didn’t follow industry best practices when it came to ‘basic anti-theft technology.’ The result is a very large number of auto thefts targeting these two brands, owner and government angst, and accompanying lawsuits. The legal argument is simple: by not following industry best practices, Kia and Hyundai failed to exhibit a standard duty of care with their products. By the way, we are starting to see this play out when it comes to cybersecurity as well.

Curtis Dukes

Groups like the Kia Boyz or Kia Boys have turned stealing these cars into sport, which is amusing until it's your car that gets jacked, let alone more than once. Software updates were developed to provide an "ignition kill" capability as well as free steering wheel locks, even so there remain a large number of vehicles that don't have the update, and claims persist that the update doesn't solve the problem. If you own an affected Kia or Hyundai, be sure that you're working with your dealership to get the needed updates and mitigations. Add making sure that your vehicle includes an immobilizer needs to be on your requirements list for a new purchase. If it doesn't have one, you need to consider mitigations such as a steering wheel lock, as well as bypass scenarios.

Lee Neely

These agreements were made possible by the Executive Order on Enhancing Safeguards for United States Signal Intelligence Activities last October, which brought the U.S. in line with E.U. expectations on data handling in response to a series of EU court rulings finding U.S. surveillance laws provided inadequate privacy and rights protections for Europeans whose data may be transferred to data centers in the U.S. While this is also a factor with the UK, the U.S. and UK also have intelligence-sharing agreements and similar surveillance programs which helped enable the agreement. These agreements should allow tech companies doing data transfer to continue to do so without impediment, something AI developers will be able to leverage immediately.

Lee Neely

For government, this agreement and the earlier agreement with the EU are good things as they aid the timely search to uncover terrorist, criminal, and cyberattacks. For individuals, it can be a concern if the state uses the information for non-court sanctioned purposes. At the end of the day, if you’re law abiding, you have very little risk.

Curtis Dukes

As the "Set Basic HTML as default view" option is removed, trying out the Standard view and reverting if you don't like it isn't a viable plan. The Standard view has been out ten years, which is a pretty generous time to convert; in that time the average connection and browser has become faster and more performant, so unless you were counting on the difference in how mail readers worked with Basic vs Standard view, you'll be fine.

Lee Neely

Although Google did not provide the reason, I suspect they ‘ran the numbers’ and decided that it was no longer necessary to maintain the basic HTML codebase. From a security perspective, moving to standard view avails users of the latest security features – a good thing.

Curtis Dukes

The malware is highly targeted and localized to maximize success, making prevention difficult. You can reduce the risk by both rolling out the update, and leveraging lockdown mode, which is enhanced in iOS 17. This is a good time to start testing lockdown mode for folks in risky areas, particularly high profile users more likely to be a target. At the very least, send users with loaner phones which are wiped after trips to risky locations. The cost of the device is far less than the cost of a compromise.

Lee Neely