Unplugging the Internet, Bombing Hackers, Cyber NTSB, & Best Practices – PSW #695

Yea, except cybersecurity, hacking and cyber crime is nothing like investigating airplane crashes in the sense that everything changes all the time, incidents happen at a far greater rate, and we're dealing with digital incidents, not physical (for the most part, unless they intersect, which happens).

Russian virtual keyboard for the win?

Information should be free (free like free beer and free like running naked through a field)

Oh yea, let me just go unplug the Internet for a few days...

Throwing money at the problem does not fix cybersecurity issues, if it did, the companies who spend the most on cybersecurity would not have breaches, except they do.

“Security must be taken seriously – the only way to do that is to be proactive. With billions of new devices constantly connecting locations around the world, the attack surface is staggering. It will be important for solution builders, both hardware and software, to be thoughtful stewards and strong advocates for cybersecurity in order to deliver trustworthy compute infrastructure.” - I read this as "our customers told us security is important to them now, so now security is important to us." Also, not necessarily a bad thing...

"An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,"" - The irony of poisoning the watering hole to poison the watering hole is not lost...

When availability ranks way higher than confidentiality.

Just don't use XOR. However, attackers will double encrypt, maybe not all, but some of your data, so you have to pay twice.

""Industry best practices," for instance, dictate that network administrators should be boxed in administratively. They should not be able to see what is happening on workstations, servers or storage resources." - Actually, we do not dictate this at all. "Implement a "one strike and you are out" hiring policy for information security employees. When they fail, do not let it happen twice." - This is just wrong on so many levels, such as how do you measure failure? And so we all have to be perfect because no one makes mistakes, in any profession, right? Somehow we are different because we deal with cybersecurity? "Also, never hire an information security employee who has ever worked for a firm that has had a security incident." - Wow, you have really hit the crack pipe hard by this point in the article. I will let you in on a not-secret: 99% of us in information security have worked at a company that has had a security incident. Maybe we should just all quit? Maybe we should just all turn to the darkside and take over the galaxy? Just how is this a solution? "Embrace "holistic" approaches to information security." - You took a huge bong rip before you wrote that, then said it out loud when you typed it, and it sounded really good huh? And then you try to cover your ass: " The author, Professor Gwinn, states that his column included “what is likely to have been the worst wording I have ever used in my life” in the 19th and 20th paragraphs, which suggested that he favored the “willy-nilly firing of a whole staff of people after a security incident. My intent was to hold leadership accountable." He now states that businesses and industries should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach. Rotate leadership and do not let it happen twice. Also, weed out and avoid hiring that former information security leader.”" Guess what? You are still wrong, on basically all points. Also, we will be looking at all of your future publications and I hope you have better suggestions in the future, because this article...sucks.

This was a great article and did not get into finger-pointing, blaming people, or other such nonsense. For example, the media has continued the notion that the hacker/cybersecurity persona is a male, typically wearing a hoodie, alone, using a computer in the dark: "In general, Cybersecurity in the media typically has a very masculine look. As you can see in the above screenshot, eight of the nine images have the same blue/black color scheme. While this may seem trivial, it’s something that can subconsciously impact perception. Much of these images align with what’s referred to as masculine colors." This is also a great point: "Second, many of the images in my search showed lines of code, which can lead people to come to the conclusion that coding experience is a requirement for a cybersecurity career, which isn’t true." - Again the media is reinforcing the notion that not only should you be male, alone, in the dark, but you also better be super technical and able to write code. All just not true!

I am challenging this one, I don't believe this is what the data shows: "The report found that network defenders were almost exactly as likely to mitigate a problem when an exploit had been released before the patch. If an exploit was released first, a median of 46.3% of systems were patched in the first three months, a cumulative 57.5% after six months and 67.8% after 12 months. Patches were actually more common when the first exploit was released after the patch, although only marginally so, and remediation followed the same curve (49.1% at three months, 59.3% at six and 70.6% at 12 months)." - There is a HUGE difference between an exploit being released, and an exploit being used in the wild, and this data did not represent that aspect. There is also a huge difference between a PoC and the overall effectiveness of an exploit. Was the exploit a DoS or restricted to RCE? Also, what if an exploit does not have a patch? Or, what if the patch is REALLY hard to apply and rollout, vs. other vulnerabilities that are easier to remmediate? Also, what if I didn't apply a patch but I turned off the service, created a firewall rule or implemented some other compensating control? What if I do that more often when an exploit is released than I do patch a system? What if an exploit being release actually helps me with compensating controls rather than applying a patch? What if exploits are released for software that is not popular or I just don't have in my environment, therefore I don't have to patch?

Emerson says it has released firmware updates to address six vulnerabilities rated as high or severe affecting its Rosemount X-STREAM gas analyzer. In the case of CVE-2021-27459, arbitrary code execution is possible, but it requires a high privilege level and the code only executes in a limited context.

A Wyoming Health Department (WHD) employee appeared to have improperly handled the data by uploading it to public and private repositories on GitHub

An unsecured AWS S3 bucket belonging to Primrose Hill, London-based recruitment firm FastTrack Reflex Recruitment (now TeamBMS) containing some 5GB of data that includes 21,000 files containing CVs and PII

According to Waikato DHB chief executive Kevin Snee, it appears that attackers managed to breach the health provider's networks via a malicious email attachment.

Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders' PII

According to reports, the credit card breach affects students attending Purdue, IU, Boston, Towson University, University of Houston, Lehigh, Misericordia, Cornell, Wake Forest, Florida State University, and Sonoma State university.

Irelands' Health Service Executive (HSE) says it was forced to temporarily shut down its IT systems in an effort to protect those systems from further compromise after experiencing a "significant cyber attack" on May 13.

A security researcher has published a working proof-of-concept exploit code for a wormable Windows IIS server vulnerability tracked as CVE-2021-31166.

AMD has issued guidance to customers for dealing with two new vulnerabilities (CVE-2020-12967 and CVE-2021-26311) affecting its Secure Encrypted Virtualization (SEV) protection technology that could be exploited by attackers to completely bypass SEV and execute arbitrary code on targeted systems.

Owners of security cameras from smart device maker Eufy have reported on Reddit and Twitter that they were able to access video cameras belonging to complete strangers rather than their own video feeds.

Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack. Avaddon operators stated on their website that they had stolen 3TB of sensitive customer information from AXA branches in Thailand, the Philippines, Hong Kong and Malaysia, and encrypted these entities' systems with ransomware.

Researchers say they have identified ransomware operators encrypting victims' data twice (i.e., double-encrypting) at the same time during ransomware attacks in an effort to get the most money possible from targeted organizations.

According to a forum post from XSS forum owner "Admin" announcing the move, all "Ransomware affiliate programs," "Ransomware rental," and the "sale of lockers (ransomware software)" are prohibited, and any existing ransomware topics will be deleted.

Pakistani government-linked APT group "Transparent Tribe" has spent the past 18 months using its hacking tool in cyber espionage campaigns leveraging catfishing that are designed to steal data from and take screenshots of compromised systems in India as well as to target Indian military personnel, defense contractors, and individuals attending Indian government-sponsored conferences and events.

Rapid7 disclosed that unauthorized third-party had access to source code and customer data as result of Codecov supply chain attack.