CISA Warns of ColdFusion Exploits; Microsoft Provides Windows 10 EOS Guidance; All Five Eyes on Memory Safety

Interesting that Microsoft offers extended support for Windows 10 Home. I doubt they are expecting a lot of home users to sign up for it. But there may be more Windows 10 Home in use in enterprises than expected. This in itself could be an issue. Windows Home does not include all the security and management features enterprises need to properly configure these systems.

This is above the security organization, but it is really time for CIOs to say, “At the end of 2025, should we really be supporting user devices that run big honking operating systems when they need to be patched more frequently than monthly, and are mostly (if not exclusively) accessing applications that are running in the cloud vs. on device?” From a security perspective, removing Windows from the threat chain is a major raising of the bar. If Windows stays in the user device picture, cost of patching/mitigating/re-imaging has to be part of budget planning.

Windows 11 was released in October 2021, as a free upgrade. With the upgrade to Windows 11 came a set of system requirements that many users likely did not meet. That said, four years is plenty of time to implement a migration plan from Windows 10, that includes the needed hardware refresh.

The most severe vulnerability in this set is a vulnerability in the Captive Portal code, OpenNDS, which was also known as "nodogsplash". We observed just this week scans for this component by some Russian hacktivists: https://isc.sans.edu/diary/rss/30450: Zarya Hacktivists: More than just Sharepoint.

The TinyXML open source component is essentially abandoned but Sierra created fixes for the flaws in their routers. The updates address all of the 20 vulnerabilities. While you may be thinking you’re off the hook in that exploitation has to be done from the WiFi interface, a compromised system could be leveraged here, so you really need to get those updates out.

The addition of 21 vulnerabilities is even more troubling when the same research also indicates two-thirds of deployed routers remain unpatched for previously reported vulnerabilities. Internet facing OT devices must be part of an organizations patch management process.

What is being targeted is the lack of a security monitoring/risk posture assessment program. Something which has to be continually done and updated. If you’re in a regulated industry, you’re aware of the requirements. What’s new is substantial fines after an incident. Maybe go make sure you’re not just checking a box here.

A relatively small incident like this will typically have hard react/recover/restore/communicate costs in the $4-5M range so the fine is just a 10% uplift. This one is smaller example of the previous item on the East River Imaging compromise.

Over the last 18 months or so, we’ve seen several settlements at both the state and federal level for violations of basic cybersecurity requirements that led to a data breach. This is but the latest enforcement action. Besides the fine, Lafourche Medical Group must implement several corrective actions to comply with HIPAA cybersecurity rules. This, and the other settlements, should serve as a wakeup call that basic cybersecurity requirements will be enforced.

Mid-sized medical services firms are attractive targets because of the billing data they store and the fact that they are often not large enough to have strong security teams or management focus on security/safety as they went online – and attackers have been taking advantage of both factors. If you are in a similar situation, use this one to convince management that the cost of avoiding a $50M incident is lower than going through one.

The attackers had access to their systems from August 31st to September 20th. Impacted people were notified starting around thanksgiving. ERMI is offering complimentary credit monitoring to those whose Social Security or driver’s numbers were part of the impacted data. If you’re a customer of ERMI, you want to check for fraudulent activity and, even if not impacted, setup credit monitoring and identity restoration services.

Restaurants that have unhealthy/unsanitary food handling conditions are routinely shut down and produce containing deadly bacteria is routinely removed from grocery store shelves. The HHS plan has steps to push out (voluntary standards which largely exist already) and to “Provide resources to incentivize and implement these cybersecurity practices.” After that, enforcement has to be part of the strategy.

As cybersecurity strategies go nothing surprising here. Instead of creating yet another set of voluntary cybersecurity requirements leverage what already exists and enforce them. Accountability has to be the crucial component of the strategy.