If You Can’t Eliminate FTP, Require MFA Be Used; Don’t Allow External Web Access to Routers

Stolen credentials only work when those credentials are reusable. Good reminder to make sure your movement to 2FA extends to all remote access capabilities, not just the VPN.

John Pescatore

If you still have FTP enabled on your web sites you really need to disable it and move to an alternative, say SFTP. Odds are the current versions of your website development tools already support secure alternatives. This may require you to update your development environments. Next, make sure your website wasn’t compromised; remediate if needed.

Lee Neely

Fifteen years after we first began to disparage the use of FTP, it continues to be a problem.

William Hugh Murray

Usually, attacks against routers are considered noisy and easy to detect. But among the flood of requests from bots like Mirai hide more sophisticated attacks, like this one. Sadly, even more expensive ("business grade") equipment suffers from the same stupid web application vulnerabilities as home user systems. The same care needs to be taken in protecting them by restricting access to any management/web interface as much as possible.

Johannes Ullrich

Note that they’re targeting end of life products. Make sure that you’re not only patching and applying secure configurations but also proactively doing lifecycle replacements to raise the odds that discovered vulnerabilities will have updates. This also should help you keep up with capacity and ever increasing complexity of security implementations.

Lee Neely

Good to see water safety include cyber security, but the EPA memo seems focused only on operational technology in the definition of “significant deficiencies.” As the Colonial Gas Pipeline incident showed, compromised business applications/systems can also disrupt services running on OT.

John Pescatore

If you’ve never been audited before, you may wish to go proactive and hire an external firm to check you out prior to the regulator surprising you with a bunch of must-address findings you don’t know how to address.

Lee Neely

A ‘one-two punch’ by the Administration. First the national cybersecurity strategy is released; second, a mandate that includes a cybersecurity audit as part of water sanitation surveys. Problems with the requirement include: 1) sanitation surveys are conducted every three years; 2) cost of the cybersecurity audit; 3) skills to conduct the audit; and 4) yet another cottage industry catering to government regulation.

Curtis Dukes

In this week's Cyberlaw Podcast, #446, Interview with Chris Inglis, they noted both the fact and the causes that public water systems are not doing well on cybersecurity.

William Hugh Murray

EV charger deployment is at breakneck speed these days, and there are sufficient mandates accelerating adoption of electric vehicles to shove security to the background. The challenge for manufacturers will be to remediate and push updates. The challenge for consumers is knowing the EV charger is secure before they use it. I predict that even if the vendors fix the issue, regulators will come out with new standards to push the issue. Maybe even a certification sticker.

Lee Neely

As with any new technology advancement, cybersecurity is often trumped by the vendors’ need to get their product to market. Because of this ‘speed to market’ need, vendors indirectly use the vulnerability research community as their de facto product testers. The buildout of EV infrastructure is no exception. What’s important is that the industry move quickly to close this and other vulnerabilities. As we’ve seen over the last decade or so, cybercriminals are quick to weaponize vulnerabilities.

Curtis Dukes

These findings should not surprise anyone. If not the most vulnerable component of most applications, the operating system is the most attacked component. While single application appliances should be easier to secure than open, general purpose, flexible, feature rich, and complex operating systems, including such an operating system in one's appliance is not a good place to start.

William Hugh Murray

Many crypto algorithms in use have had side-channel vulnerabilities discovered that had to be dealt with. This one is interesting in that the researchers used machine learning tools to facilitate recovering message bits with this approach – I’d like to see more use of software testing tools taking similar approaches to find more vulnerabilities before products ship.

John Pescatore

Now is the time to find and fix flaws in these next generation algorithms, before we spend a lot of time converting to them. While the threat of quantum based attacks is still a ways out, AI based attacks are also an emerging threat so we need this sorted in the next year or so, allowing vendors to implement solutions we can deploy.

Lee Neely

rypto is harder than it looks. Algorithms are tough but implementations are even harder. That said, we still have ample time to harden our systems against quantum cryptanalysis. In the seventies, when the publication of the Data Encryption Standard first legitimized the private use of cryptography, few recognized the fundamental role that cryptography would play in what has come to be known as "cybersecurity."

William Hugh Murray

The trend continues in the right direction as more gangs are stopped and members face criminal consequences. Bravo to the agencies pulling this off. That said, we still need to remain vigilant. Considering this as a reduction in threat actors but that the fundamental risks remain.

Lee Neely

The continuation of increased focus by international law enforcement agencies to carry the fight to purveyors of ransomware. This has only come about because of increased information sharing over the last two years between nations. Don’t forget though, more work still needs to be done to make enterprises resilient against ransomware attack.

Curtis Dukes

If your TPM-enabled devices have updates, make sure you have a solid deployment process as this can absolutely brick systems if done wrong. Make sure you know what you’re storing there, and how to recover if you break it. You may want to start with on-premises and local systems before your more distant use cases.

Lee Neely

By my count this is the third, recent alert (briefing, advisory) on the Royal ransomware gang and its TTPs. All information sharing and analysis centers benefit from these alerts. Cyber defenders, if you haven’t already, use this advisory to revisit cyber defense plans and incident response plans. And remember, the ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery.

Curtis Dukes

While the ‘Ransom House’ gang uses a different MO from other ransomware miscreants, the outcome is the same: severe impact to business operations. Having to revert back to staff-intensive processes is both inefficient and poses some risk to patient care. The hospital will recover from this attack and will most certainly revisit its patch and configuration management processes.

Curtis Dukes

Have you compared your implementation to the Purdue model lately? PLCs are particularly sensitive to inappropriate touching and you should limit access to only authorized/necessary systems and users. Don’t overlook firmware updates when published. Albeit finding a downtime window can be challenging, you can still get these updates pushed.

Lee Neely