|News – Distilled from a detailed review review of 160 cybersecurity postings this month
| Dec #123
|Building on Shaky Ground
|Given the countless threat detection, prevention and removal software and non-IT defenses, it’s a sobering thought that there are still questions being asked regarding vulnerabilities in underlying software, hardware and drivers. The Windows Common Log File System (CLFS) is increasingly being targeted by threat actors as reported by Dark Reading as its inherent weakness become discovered. Dark Reading’s conclusion that this important Windows system component is due for a redesign.
| Dec #122
|Comcast bleeds data of 35.9 million customers
|We don’t cover the masses of daily ransomware and data breach attacks here unless there are lessons to be learned. It seems no coincidence that the SEC’s rules on disclosing cybersecurity incidents within 3 days came into effect the day before Comcast revealed that the CitrixBleed data breach hit them (actually possibly 35.9 of their Xfinity customers) back in mid-October. So, the legal department thought they’d better say something about it. However, beyond that, the question is “how they heck did it happen?” (1) Was the customer data on a server or was it lost in transit through Comcast’s network? (2). Either way, where was the microsegmentation of data that might have made exfiltration impossible. (3) It seems clear that there is no implementation of Zero Trust was deployed to prevent escalation of privilege least privilege for ID management, and the list goes on.
| Dec #121
|Those boring predictions
|Everywhere you look there are “Summaries of 2023” and “Predictions for 2024” that mostly regurgitate the same old boring stuff. Here’s mine.
- 2023 Summary
- Read the 120 stories below
- 2024 predictions
- Large enterprise executives and SMB companies will continue to be in denial re cybersecurity – and will get hacked.
- Companies will continue to be negligent on automatic patching, anti-phishing training and software – and will get hacked.
- I will continue the uphill challenge of getting people to understand the importance of holistic cybersecurity. Those that can be convinced will have significantly reduced risk.
- Cybersecurity will keep being unpredictable with new threats.
- The SEC, CISA and NIST will continue their good work with increasing pressure from enterprises via political lobbyists to water down their efforts.
| Dec #120
|Quantum Computing Breakthrough
|The approach of Quantum Computing and the demise of currently dominant asymmetrical encryption algorithms took an important step nearer with the announcement by DARPA (the U.S. Defense Advanced Research Projects Agency) and a paper in Nature Journal announced results from a team of almost two dozen scientists, most of them from Harvard, funded by a DARPA program known as ONISQ (Optimization with Noisy Intermediate-Scale Quantum devices). This has created a 200 fold increase in the creation of “logical qubits” – Quantum’s primary compute elements. Important new work on the creation of symmetrical encryption methods, resistant to quantum decryption is under way by NIST. More on both of these developing stories early in 2024.
| Dec #119
|My New Article on Critical Infrastructure
|I just took on the mammoth topic of Critical Infrastructure that impacts all of us. My latest article published in this month’s ISE magazine covers the challenges that have caused so many recent high-profile headlines. It examines how implementing the reborn Network as a Service, cybersecurity basics and Critical Infrastructure specifics can eliminate the scary incidents we see daily. Since completing article several weeks ago, much has happened and the story continues on the site on my Critical Infrastructure page. My next article publishes in February!
| Dec #118
|SEC regulations come into effect 12/18 but who decides the math?
|It turns out that the SEC regulations that require public companies to disclose material breaches only seem to apply to reporting to the SEC and really only to the FBI. I.e. 4 days can turn into 60 subject to FBI involvement or even 120 if the FBI deems it to be a “substantial security risk.” This sounds like an opportunity for political manipulation but is likely better than what we had before. More on this Bank Info Security Article.
| Dec #117
|Why do more attacks result in less security personnel?
|To quote from an interesting report and survey run by the CSO publication: “Even as the number of security incidents continues to grow in all sectors, 47% of the respondents plan to reduce their security headcounts, a new report by Observe has revealed. Remarkably, 62% of these organizations also reported a higher number of security incidents per month.” Also of interest the survey show the kind of tools being used. Perhaps the indicate that cybersecurity is becoming more of a business as usual operation.
| Dec #116
|It’s always good to be aware of the collective progress in cybersecurity. The DoDs latest recommendations on protection of weakness related to DoD controlled information applies everywhere and is definitely worth a read & aligned with everything we cover. The document refers to a table of 14 categories based on NIST SP 800-171 revision 2.
| Dec #115
|EU Votes to break Internet Security
|In #107 below we warned of the EU’s determination to ignore reason and put the privacy and security of all EU citizens at risk and put web certification in the hands of member countries. In a behind-the-doors vote the legislation passed, including the soon to be infamous “Article 45.”
| Dec #114
|What bank is that again?
|For those who are still clicking on those innocent looking emails, these scary examples show how fraught and tricky the problem is. So, which one of these emails is legitimate and which is from a man-in-the-middle attack?
The first and second highlighted in a couple of alerts recently is in the letter “α” being a cyrillic alpha but our brain registers it as an “a”. However, The third was not covered in alerts but is much trickier as the “o” is actually a Greek omicron character. I.e. it’s not enough just to look at the address when it’s hidden by the font. (good grief!)
| Dec #113
|Trains & Boats and Trains
|Ahead of much coverage of Critical Infrastructure this month, the intertwining of networks, IoT and cybersecurity is highlighted by a feature on rail systems rolling stock security by Siemens. This is not a promo for the company but it does highlight the focus on rail system security. Last month we covered the threats to Boats and Planes and shortly an article published on critical infrastructure featuring both security and network integrity wiLl also appear on this site. Update: now there news of a water treatment system in Philadelphia under attack by a Hammas attack group targeting (yes, you’ve guessed it) devices connected directly to the Internet. The big surprise is that this is a surprise to anyone. To be continued.
|Given that both Experian and TransUnion credit bureaus – who know everything about your financials, status and history – are being held to ransom for $30m apiece, the recommendation is to lock down your credit with them. I.e if someone does get your credentials they can’t take out a credit card or loan or find out how much money you have so easily and you will be alerted should there be attempted access to that information.
|Delegate Don’t Abdicate
|It started as a simple article in ISE magazine in the July/August edition but it’s grown into a monster. Applying Zero Trust principals to delegation and Network as a Service, was also part of our ONUG Fall presentation in New York last month. It’s also found it’s way into the MEF’s update to the MEF 118.1 Zero Trust Specification. The latest update is on this site.
|Tis that time of the year.
|Yes, Chistmas is coming and it’s time for Black Friday scams – (“hovver before you touch” or check that Fedex tracking email or Best Buy special.) However, among the 10 best list of the 10 best predictions for 2024 is something cool. Cyber Security Hub lists the 10 security misconfigurations to fix right now. Yes the obvious ones – using default configs, not using least privilege, non-automated updating lack of segmentation are there. Others are less well considered: insufficient internal network monitoring, weak MFA methods, insufficient Access Controls and system bypasses, poor credential hygiene and lazy (my word) oversight of code execution.
|The nerve of some robbers!
|It’s bad enough that the ALPHV Ransomware group held the MGM hotel group to ransom – but to file a complaint that the MGM did not report it in time is to ridcule and make a mockery of all concerned. It’s like a bank robber stealing money from a bank and then suing them for lack of security.
|3 Critical Infrastucture Issues
|Time to look at critical infrastructure. As a lead into this monster topic, three incidents occured in the second week of November: The Australian port systems was hit, there are new concerns about aircraft safety and the world’s largest bank were all hit separately. In the third week, the personal information of 5700 employees at US Nuclear Energy Center was leaked. Not a good place to have an insider threat or social engineering attack based the vulnerable past of an employee. As a first step, it’s a timely reminder for executives in these major organizations to stop thinking in the past and focus on the basics to Break the Vicious Circle? Also, to focus on the many issues of the above critical infrastructure instances and their special requirements. More to follow on these topics.
|EU time machine to return to 2011
|Despite almost every major security and tech company’s efforts, the blinkered non-experts in the EU are about to take the Internet’s security and personal exposure back 12 years. The proposed legislation (eIDAS 2.0 and more specifically Article 45) to quote Mozilla:”This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.” Loads of coverage on this potential disaster: (1) Security Now ep 947. (2) The Register (3) EFF civil liberties foundation. The EU give carte blanch to governments and probably hackers to run amock to evesdrop on everyone!!
|When will they learn?
|It seems to have escaped the world of cybersecurity software vendors that they are the main targets. Following reports about leaking OKTA personal login data, Microsoft jugernaut seems be be waking up – responding to significant U.S. Government pressure. Cybersecurity Dive is one of many to report “government branches being concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features.” Microsoft’s Secure Future Initiative addresses this with an update to its Microsoft Security Development Lifecycle (that we cover on this site.) to become “dynamic SDL” (dSDL), updating its “security defaults” and identity management. Lots of good intention. What it translates into is definitely left as an exercise for the subscriber – and any improvement would be good for all.
|Delegation not Abdication
|My original ISE article in August 2023 has been greatly expanded covering six key areas that require verification of companies, services and software. This blueprint covers 26 functions helping support an organization’s responsibility to verify its operation and that of its suppliers. I hope that the proposed CISA cuts don’t slow down their effort in this area.
|40+ Countries to Pay No Ransomware
|This fanfared story received much coverage but it maybe limited to organizations who would likely not bepaying anyway even if it’s enforceable. When signed, it appears to be limited to govrnment agencies, not the organizations who operate in those countries. If it comes to “breaking the agreement” or survival, we will see which one wins and puts a dent in the project $bn problem by the end of 2023. What is often overlooked is that paying ransomware to state-sponsored threat actors likely breaks the law in the U.S. The 2021 Dept of the Treasury Office of Asset Control update explains more on this. It is not clear how you can possibly know who you are paying?
|Almost 3 years since Texas-based SolarWinds disclosure of its infamous breach, the Securities and Exchange Commission filed charges against the company and its CISO, Timothy G. Brown, alleging that the software company misled investors about its cybersecurity misstatements and omissions that concealed its deficiencies and poor cybersecurity practices. This is a story that will concern a much wider audience.
|Boeing goes boing?
|It will be interesting to see how Lockbit’s ransomware attack on $60bn Boeing Company. The attackers threat to make public stolen data from the massive commercial and defense aviation and space company does not respond by Nov 2nd. What the cybersecurity community wants to know is what are the lessons to be learned. “Why did this happen?” should also be part of the new CISA rules, however painful that might be. It would be good to see laws against ransomware payments come into effect, though this might turn complicated. Update: Lockbit posted what it claimed was some of this stolen data on Nov 10th.
|$2 Billion Domino Effect
|It never ceases to amaze that the basic security fundamentals are neither part of a security software company’s development process, or a subscriber’s delegation and verification process. The $2bn in question is the loss in the market cap of OKTA, the industry’s go-to company on Identity Management, at the heart of all Zero Trust implementations. The impact on its 18.000 customers (many household names) is not known but MGM, Caesars, Cloudflare and 1Password are on the list of dominos that have fallen. What’s concerning is that the MGM Okta incident was known about for more than a month and yet the rest of the stories are just seeping out.
|An new paradigm for cybersecurity in the board?
|Given the dramatic story below, this 100th posting of the year takes on a more optimistic note. It appears that a new model for cybersecurity is taking shape in executive teams and company boards. The emergence of a security committee consisting of or including one or more consultants is taking responsibility and providing executive oversight is becoming popular. About time too! Given that the CISOs or designated security expertise within an organization have neither the business skills or experience to even speak the language of the executive team this is an important trend that can scale up or down to almost any size or type of organization. More on this on this site to follow shortly. Splunk’s 2023 Report includes data on this trend.
|The Web User Interface of Cisco’s IOS XE software appears to have a serious flaw as reported by Sentinel One and CyberDive. This Advance Persistent Threat attack is triggered by a threat actor with unauthenticated accounts being able to elevate their privilege to Cisco’s highest level (15) causing untold chaos to monitoring, routing, physical and virtual processes and insert man-in-the-middle malware and impacted 140,000+ systems and their customers worldwide! (Yes a big ouch!) (Update: October 23rd. Cisco has produced a patch for the problem. Without the patch, …) Cisco states that all end-users (and presumably Service, Cloud and managed service providers) disable the “web UI feature”. CISA has given it’s highest rating (10) to CVE-2023-20198. That’s the facts but the critical unanswered question is that “How with all their expertise could Cisco possibly allow that to happen?” If they were hacked in this way what hope is there for other organizations? It appears that more than three weeks went by before the severity was realized. We will keep this story updated in more depth. However, given that no-one wants to reveal their defense for fear of it revealing other weakeness, our assumptions is that we will never know.
|New HTTP/2 Design Vulnerability.
|Cloudflare alerted the world to a huge denial of service attack – actually the biggest of all time. This is covered in more detail in the Bot and HTTP sections of our cyberpedia page. Those being alarmed by this should be alerted to the fact that this is an example of proper DDoS attack protection being a requirement.
|Social Networking Tool Users Beware.
|Vulnerabilites in Atlassian’s Confluence Social Networking Tools were reported by SentinelOne as CVE-2023-22515 and was rated as 10.0 with patching required. Gaining access to such tools can open the flood gates to man-in-the-middle and phishing attacks. For those unfamiliar with Atlassian’s confluence wiki, it’s been the mainstay of many organizations for collaboration and developing work for well over a decade. Like Slack, Google Docs, etc., it’s used in many industry associations and thousands of users have freely made their contact info available on such platforms. All of these tools have had a history of exploits – even Zoom, Microsoft Teams and messaging apps such as Skype and WhatsApp (as reported this month by Nextgen Hero) have been attacked in the past and the lesson to be learned is to have several email addresses, never use single common sign-in and to watch for phishing attacks that appear to be from previously trusted members or leaders of such groups. Also in an adjacent space, many will be aware that as recently as August 2023, Cyberint reported a significant wave of attacks on LinkedIn users.
|Significant IoT risks for Critical Infrastructures
|One aspect of Microsoft’s 2023 Digital Defense Report published this month was importance of keeping separation or “air gap” between Operational and IT networks for Critical Infrastucture systems. Chapter 4 covers the fact that of the 78% of IoT devices that have known vulnerabities (bad enough in itself), 32% could be patched and of those 46% cannot be patched. This makes it even more critical to ensure that no device (IoT or otherwise) directly or indirectly is exposed to Internet connections from Cloud-based applications or self hosted apps. What’s more is that any software apps that do connect to critical IoT devices are properly verified for secure operation and communicate with such network devices over secure and encrypted tunnels. A commentary on legacy IOT devices is that 25% of them use unsupported operating systems. (good grief!)
|Be aware or be prosecuted
|The SEC’s new rules have raised the cybersecurity bar for public companies and will no doubt trickle down to their supply chains. For organizations who are U.S. government contractors, increasing scrutiny spelled out in the government’s False Claims Act is falling upon those who knowingly: (1) provide deficient cybersecurity products or services; (2) misrepresent their cybersecurity practices or protocols; or (3) violate obligations to monitor and report cybersecurity incidents and breaches. Read more in this new article from Corporate Compliance Insights. Government agencies who apply cybyr.com’s Delegation Methodology can protect themselves and help their suppliers to prevent this problem.
|Misconfiguered Misconfiguration List?
|The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on the Top Ten Cybersecurity Misconfigurations. It’s received a lot of uncommented coverage and is well intentioned we are sure.
Yes, the list contains 10 or so of a hundred possible cybersecurity best practices but only one of them (5. Poor patch management) actually covers misconfigurations. I can immediately think of at least 10 more actual misconfigurations and I put these on my Cyberpedia page – which has now grown to more than 260 terms. Sounds like a contribution to CISA is needed. This topic deals with misconfigurations due weak policy, human errors and incorrectly programmed automation. It does not cover how such lists should be protected from deliberate misconfiguration!
|MGM Announces $100m loss.
|In more SEC-driven disclosures, MGM resorts revealed that the attacks impacted its third quarter losses to around $100m! It also revealed that sensitive personal data for those that conducted transactions with the resorts before 2019 was also stolen – though it does not say from when. Source for this is Cybersecurity Dive. Full coverage and the lessons to be learned from the whole MGM story is now on the new in-depth topics page. It covers and the thirteen steps you should take to avoid it happening to you and looks at the possible real reason for the attack that no-one else has mentioned.
|AWS says by mid-2024 it will require the use of MFA beginning with the “most privileged users” of accounts. See the Cybersecurity Dive article for details, The question is: Why wait? (Note, as we reported previously, MFA is by no means infallible.)
|This article posted by the World Economic Forum covers 4 topics including the latest FBI warnings
|Cybersecurity Month to last forever?
|A new article from Forbes “Beyond Cybersecurity Awareness Month: Finding A Signal In The Noise” focuses on medical device security but importantly that “cybersecurity isn’t a fleeting concern.” Also is NIST’s piece on Cybersecurity month: