You Need to Patch Ivanti Sentry/MobileIron Again; Delete Extension When Chrome Safety Check Alerts; Patch WinRAR ASAP

Ivanti's MobileIron products continue to be under scrutiny for bugs, and to their credit, Ivanti is jumping on fixing them quickly. Ivanti Sentry acts as a gateway for Active Sync and can also be a Kerberos Distribution Center Proxy (KKDCP) server, meaning it's a critical control point in allowing data and kerberos tickets to flow to your mobile device fleet. The flaw, CVE-2023-38035, authentication bypass, CVSS 9.8, lies in the configuration APIs on the MobileIron Configuration Service. Make sure that MICS, port 8443 is NOT exposed to the Internet, (restrict internal access as well), and get that patch deployed.

Lee Neely

This is a double-edged issue where you have a critical component (MDM) with a manufacturer that at one point was the leader in the MDM space, combined with API authentication flaws which are very common in Web Applications. This is a good case study: If an attacker can get in your MDM they have access to plenty of your infrastructure to continue on. They can even deploy their own backdoors.

Moses Frost

This is one of those security features (like certificate revocation checking) that most of us thought were just built-in to browsers. After all, grocery stores quickly notify us that certain brands and date rangers of bagged lettuce were found to have e-coli. The first move in the browser world is almost always forcing the user to check and take action but Google has a good track record of fairly rapidly moving to automating security features to switch to only requiring user action to overcome security vs. enable it.

John Pescatore

You have to imagine this was probably a bigger issue than we were led to believe if the Google team created this feature. Watch your extensions closely.

Moses Frost

This feature will alert on three conditions: the item was marked as malware, the extension was taken down for violating Chrome Web Store policy or the extension was unpublished by the publisher. Suspect items will be available for review in the privacy and security section of the settings page under safety check.

Lee Neely

As consumers, we often add extensions to our browser without a second thought. We then forget about the extension and its potential as a security risk. This safety check will give consumers pause to periodically check what extensions they have installed. Kudos to Google for continuing positive security changes to Chrome that quickly become standard features for modern browsers.

Curtis Dukes

The flaw is exploited when you decompress/open the RAR file. CVE-2023-40477 has a CVSS score of 7.8, so don't put this on the back burner, push out the updated WinRAR where installed.

Lee Neely

Back in January, planes in the US couldn’t take off because a required Notice to Air Missions file that pilots needed to check before taking off had become corrupted. Microsoft quickly handled this self-inflicted wound to Hotmail, but a good reminder that File Integrity Management for a handful of files is a critical security process.

John Pescatore

Now that we've implemented SPF, DKIM and DMARC, it's important to keep those updated and configured properly so legitimate email flows, as well as bogus messages are rejected. Consider the use case where you have a new service provider which is going to be sending messages on your behalf, from one of your email addresses, make sure your email and DNS teams are in the loop prior to having a "feature rich" announcement.

Lee Neely

Microsoft, specifically on the “Microsoft account side” where the keys could have been compromised, and all the scrutiny around this, needs to have a few months of being out of the news for incidents. I’m hoping they can figure out what’s happening at that group to keep causing issues.

Moses Frost

The last few weeks have been difficult for Microsoft’s image as a ‘security first’ company. We’ve had the yet to be explained loss of a critical signing key, and now a configuration change that resulted in a corrupted DNS file. Perhaps it’s time for Microsoft to revisit its configuration control processes.

Curtis Dukes

Looking at most healthcare security incidents (and really most security incidents in all verticals) flaws in processes and people skills (which are needed to develop and implement effective and efficient processes) are 99% of the time what enabled the attack to succeed. There are definitely unique challenges, especially in the US, in how healthcare is funded, staffed and delivered that could benefit from innovation in how technology can be more usable in life and safety environments.

John Pescatore

Technology advances create efficiencies in delivery of vital services. Unfortunately, when a ransomware event occurs, technology becomes the Achilles’ heel for organizations, and they are left to reconstitute business operations using manual processes. This is certainly true in the healthcare sector. In the short term the most effective protection against ransomware is adequate funding for basic cyber hygiene using an established cybersecurity framework such as the CIS Critical Security Controls.

Curtis Dukes

As healthcare providers are often on a tight budget, this is a chance to get needed funding to implement security measures. Anything we can do to raise the bar for the healthcare industry will help; there is no indication that there will be a reduction of attacks focused on this sector.

Lee Neely

Well-intended if somewhat speculative. In the meantime, encourage strong authentication and isolation of mission critical patient facing (clinical) applications from high risk Internet facing (e-mail, browsing) applications.

William Hugh Murray

While you're waiting for the outage window to apply the update, you can either disable the J-Web interface, or limit access to trusted hosts only. These devices should already be in your prioritized updates category. Don't get sidetracked with the individual CVSS scores of the weaknesses, CVE-2023-36844 through CVE-2023-36847, _COMBINED_ they are rated as critical.

Lee Neely

Exploiting CVE-2023-40336 could result in approval of unsandboxed scripts resulting in unsafe execution. Two of the flaws, CVE-2023-40342 and CVE-2023-40346 are due to improperly escaped content. Long story short install the updated components: Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5.

Lee Neely

Products like Jenkins that are sold to implement Continuous Integration/Continuous Delivery pipelines have features like SafeReStart and Quiet Start that enable pipelines to be seamlessly and safely resumed – great candidates for fast patching!

John Pescatore

Given Jenkins use in automating software development and delivery pipelines… you know the drill, patch now.

Curtis Dukes

The recent SEC rule changes mandate notification within 96 hours for public financial institutions that suffer a material breach. The NCUA is requiring notification with 72 hours for ‘reportable’ cybersecurity breaches. Let’s not argue the efficacy of 72- vs 96-hour notification, but rather, harmonize on a single reporting standard for the financial sector, and perhaps every industry sector.

Curtis Dukes

If you're on a CU board, ask your CEO for details on what they consider the thresholds are for reportable events and if they are clear on who is responsible to report and how. Then determine what notification you, as a board, expect. Remember you're governing, not operating.

Lee Neely

Fairly obvious requirement, good definition of what triggers the requirement, reasonable time.

William Hugh Murray

Nothing definitive yet. Keep an eye on their web site for updates on what was breached and current state.

Lee Neely

Think supply chain.

William Hugh Murray