Microsoft Report Reiterates Need for MFA and Essential Security Hygiene to Keep BYOD Trustable; Patch All Linux Use ASAP; Put Updating Supermicro Motherboard Firmware On Your To-do List

There is not a lot of backup in the report on what they mean by “unmanaged devices” as the origination point of successful ransomware. Since the majority of ransomware attacks start with a successful phishing attack, the use of personally owned phones to give away reusable passwords could be the major component - especially since the report also says 99% of all attacks would be thwarted by MFA and other essential security processes.

John Pescatore

The key takeaway from the Digital Defense Report is the importance of cyber hygiene in protecting your enterprise. At the non-profit Center for Internet Security (CIS), the Critical Security Controls are the natural starting point. CIS IG1 safeguards (referred to as essential cyber hygiene) provide an effective defense against the top five attack types (including ransomware).

Curtis Dukes

All devices used for corporate business need to be well managed, to include BYOD. The effectiveness of BYOD is tied to how much you can manage the device, effectively making them corporate devices. The problem with BYOD is you don't own the device, so you are reliant on user consent as you don't have the same legal standing as you would with corporate devices to enforce configurations or take action. Be prepared to provide corporate devices to any who have concerns about you fully managing their BYOD choice.

Lee Neely

This one is interesting; I’ve seen a lot of midsize and small businesses go the route of “BYOD” in the sense that they are not managing endpoints at all. Some even allow any machine to be used for remote work. This is a serious concern. If you have devices in your environment, manage them.

Moses Frost

The trend is for more and more access to be via user owned or managed devices. Such access should be contained or isolated so as to resist both user error and/or device compromise spreading laterally to mission critical applications and services.

William Hugh Murray

"Just" a privilege escalation, but one that is easy to exploit and affects most Linux distributions in use right now. Luckily, patches are easily available. Patch, reboot and move on :)

Johannes Ullrich

The issue is a buffer overflow can be caused during ld.so's dynamic parsing of the environment variable GLIBC_TUNABLES. The researchers were able to successfully exploit the vulnerability to obtain root privileges on the default installations of Fedora 37 & 38, Ubuntu 22.04 & 23.04, and Debian 12 & 13. RedHat has provided a mitigation using a SystemTap script, a kernel extension, which terminates any setuid program invoked with GLIBC_TUNABLES in the environment. Note that RHEL 8.4 and older are not affected.

Lee Neely

Yet another vulnerability found in an open-source library that affects a large number of vendor products. The coding flaw requires that the evil-doer be local on the device in order to elevate security access. That said, given the large number of Linux distributions affected and ease in privilege escalation, download and patch immediately.

Curtis Dukes

Great name, interesting bug. It’s always great to see a 90’s style bug appear in the 2020s. I suspect many devices will not be patched. Why do I mention this? IOT, Containers, and some of the newer tech in which versioning of systems is not necessarily a thing. Let’s see how this one shakes out.

Moses Frost

Luckily, ransomware actors have enough networks left with simpler to exploit vulnerabilities. Take your time to patch this one to make sure these ransomware actors will not have to starve after organizations have gotten around securing RDP. I expect you probably got a decade or so before that happens.

Johannes Ullrich

BMCs are a very powerful tool for remote management, virtually eliminating the need to call the data center for physical assistance with a machine or having to go there yourself. That also means they are another "system" to manage/harden/patch. While you're working this, to include scheduling the firmware update, apply session timeouts as well as review the BMC configuration best practices, which include putting them on isolated/monitored management networks with separate firewalls, using dedicated interfaces (not shared) on the system, making adjustments where needed.

Lee Neely

These BMC issues are very similar to the DRAC and ILO issues in the past. When I say harden your control plane, I consider this the control plane also. Because it's SuperMicro, it may impact OEM systems and other vendors. Upgrade these; we find them unpatched all the time.

Moses Frost

This flaw can be exploited anonymously, so prioritize patching any internet-facing Confluence instances. Atlassian has published a mitigation which disables access to the setup pages, read the FAQ before heading down this path. Even if you apply the mitigation, the vulnerable code is still present, so you're going to have to apply the update. At this point updating to 8.5.2 (and higher) is where you should be targeting for long-term support.

Lee Neely

It’s been a bad last few months for Atlassian as its products have regularly been targeted by cybercriminals. Hopefully, once the dust settles, Atlassian will spend time reviewing its software quality assurance process across all products. That said, given that this is remotely exploitable and actively being exploited, download the patch and implement the mitigations immediately.

Curtis Dukes

Atlassian back in the news. This one is not an RCE. It *does* however create a new user, and it can be an administrative user. This was found in the wild and reported to by Atlassian; they mentioned 23 customers had been impacted so far that they know of. The problem with this one is that just patching it will not be enough because users may now exist on your system. You must look at what has occurred, and many systems do not log the URLs accessed.

Moses Frost

I am pretty sure you can find similar lists created in the 90s or early 2000s with very much the same items listed. This is a reminder how little has changed, including our desire to make lists of things.

Johannes Ullrich

The advisory contains well known issues that have been on many top 20 lists for many years and that are discoverable by every vulnerability assessment tool out there. “Secure by Design” is a lofty goal, caveat emptor permanentus (the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made and forever during use) is the reality of physical and especially software goods.

John Pescatore

Hardening systems and applications has to remain a thing. We've all been there, not wanting to change the default password or other configuration because you don't know what will break. The thing is, our adversaries are counting on our taking that position, to their advantage. These 10 items are a mixture of technical and cultural changes. Make sure you've got them incorporated into your cyber hygiene plan, then have conversations with staff about how progress can be measured and motivated. Then provide the support and funding they need to be successful.

Lee Neely

While this report is a good reminder of what we should be focusing on to improving, sadly there are no surprises in this list. It reinforces how the phrase “do the basics” when it comes to cybersecurity is much harder than it appears. Focusing on these issues, rather than new buzzwords, exotic threats, or hyped up solutions, will vastly improve your security posture.

Brian Honan

CISA releasing this should be taken into consideration. There was a bad Cisco router issue that we had seen previously, so we must consider that they probably had this on their radar. Please make sure your infrastructure control plane is hardened. We talk about it a lot in SEC588 because it's usually not hardened.

Moses Frost

Kudos to CISA and NSA for publishing. That said, no real surprises in the advisory. It reinforces that more work is needed on implementing the basics. Quit looking for some magic tool that will solve cybersecurity. Take the time and effort to select a security framework, implement, and regularly measure compliance to it. A good starting point is the CIS Critical Security Controls, IG1.

Curtis Dukes

I know your IDM system is a complex octopus of data feeds and automation, and Identity Management has to be done right. With services in the cloud, and changes like Zero Trust, reliance on Identity, and the systems that go with them is increasing multi-fold. This guidance is intended to mitigate/prevent attacks such as social engineering, phishing, creation of new accounts for persistence, credential stuffing and unauthorized access to sensitive access to data and (restricted) resources. Don't try to boil the ocean here: build a roadmap, getting technology, resources and funding in place and tested so you can do a managed rollout/cutover to more secure practices such as MFA, to include support from the top.

Lee Neely

With the move to the cloud, hybrid working, and our ever-increasing dependence on third parties having a solid Identity and Access Management program is becoming even more important. These are excellent guides which I strongly recommend you read and apply into your own organization.

Brian Honan

Requiring MFA for privileged accounts is becoming the new normal with slow but steady decline in the use of perpetually vulnerable reusable passwords. Here’s an idea: call them “resilient zero trust credentials” when getting management backing.

John Pescatore

It is really frustrating that in 2023 a service provider setting MFA to be the default is news. MFA should be a standard default setting on all cloud services and not be something that makes news headlines when it is turned on.

Brian Honan

Don't wait for the hammer to fall: implement MFA on your admin and regular accounts now. If things break and you have to turn it back off, don't stop there, work through those challenges, so you're ready before turning it off is no longer an option.

Lee Neely

We probably should be shifting away from “requiring MFA” to “requiring the right MFA”. With the advent of Passkeys and FIDO2, we have a better solution than SMS. This doesn’t mean that we throw it all away, but for this level of access, consider FIDO2.

Moses Frost

Good to see Amazon AWS getting on the MFA train. Yes, start with privileged accounts and then continue MFA deployment for regular user accounts. As an aside, GitHub successfully followed this approach in 2022 and expanded the requirement in 2023.

Curtis Dukes

Strong authentication is both essential and efficient. However, since user interaction using existing credentials is required to set it up, it is difficult to mandate it. Carrots, sticks, and time are necessary to overcome inertia resistance from users based upon the false perception that it is inconvenient.

William Hugh Murray

This is the third update to iOS/iPadOS 17, and the second to address a Zero-day (17.0.1 was the first.) CVE-2023-42824 may have been actively exploited in versions of iOS prior to 16.6. Push this update to your iOS/iPadOS 17 devices, and make sure that your iOS/iPadOS 16 devices are already on 16.7. The updates to version 17, both security and functional, are expected when a new OS is rolled out as you really can't find them all in beta testing. Fingers crossed we'll be on normal update cadence by Halloween.

Lee Neely

2023 has become the year of the zero-day in general, and a definite increase in attacks against Apple products. One suspects the upswing is a factor of the use of Apple products by senior leaders in both government and business. This creates a market for exploits and there are more than enough willing buyers. As the vulnerabilities are being actively exploited, download and install the update immediately.

Curtis Dukes

That headline is alarming, isn't it? The good news is that the number is shrinking, albeit I would like to see it shrink faster. OT is a hot target right now, and we really need to not make those devices directly accessible. Don't forget about segmentation within your shop, and really restricting access, and use a tap or span port to monitor activity. Make sure that you're using available security functions. For example, you may have a sensor connected to a cellular modem; if it won't do a VPN, it likely has access controls you can limit connections to only authorized devices. Have the hard conversation with remote support/monitoring providers about how to best isolate and secure those connections, then talk about how compromise at other customer sites can impact you and how to mitigate that.

Lee Neely

A good summary of the potential attack surface for evil-doers to go after. It’s a reminder for organizations to stop and think whilst connecting operational technology to the Internet. There are absolutely business reasons to connect, just include and manage as part of your information security plan.

Curtis Dukes

If the researchers can count them, the rogue hackers and APTs can exploit them. However, being able to see it from the Internet does not identify the management that can fix it. That leaves us with general, rather than specific, warnings. You know who you are.

William Hugh Murray

Default credentials? We need to get past this. Unfortunately, this type of implementation is likely opaque to customers. In this case the default root credentials, which cannot be changed or deleted, intended for development use only, made it to the production release. It's too easy to miss scrubbing that from the production release; alternate means should be used for testing. Note there is no mitigation/work-around, you need to apply the update.

Lee Neely

Ugh… a vulnerability caused by a hard-coded user credential. Given that this sort of security weakness has been discussed for at least a decade, it calls into question Cisco’s security architecture review process. In the meantime, given the critical CVSS score and it being remotely exploitable, download and apply the free software update immediately.

Curtis Dukes

Cisco Emergency Responder is used to help e911. Depending on the implementation, it is part of CallManager (UCM). Many cities have deployed it. Anytime you're dealing with 911, you have to consider that the system is not designed necessarily with security in mind. Anything that can impact 911 services should be taken very seriously. Patch.

Moses Frost