SEC Sues SolarWinds Over SUNBURST; Okta Keeps Leaking Data via 3rd Parties; Microsoft Cloud Trusted Computing Moment

Read the lawsuit. Next, consider how many of the statements used against SolarWinds could be used against your organization. In my opinion, the lesson here is not "don't put your failings in writing," but rather "don't lie to your customers," and "having a policy isn't enough: You have to audit your systems to ensure compliance."

Johannes Ullrich

There will be much hand-wringing about a CISO being directly blamed and legal actions taken against the CISO, but Uber’s CISO was convicted on similar offenses in 2022. Look, we have put a lot of focus on the conflict of interest between business units and security or CIOs and security as decisions were made to maintain profits vs. achieve safety/security. If CISOs don’t fight the good fight to represent customers and stakeholders safety, but instead join in on false filings to regulators about those decisions, criminal prosecution will and should follow.

John Pescatore

Honest, transparent and complete communication have to be the tenets of today’s climate of ongoing incidents. Respect trust and support your customers. Assume dirty laundry will be aired, and that is not the side of the SEC or FTC you want to see. Review your policies and response plan to ensure you’re not in danger of heading down a similar path when it hits the proverbial fan.

Lee Neely

I’ve heard through the indictment and some of the internal communications that many in our industry would consider harmless, such as being sarcastic, being used in a court case. Internally, security teams in publicly traded sectors on the stock market may start to have their internal cultures changed. If two people are having a casual work conversation over a protected medium like instant messaging where they need to let out steam and talk shop, they won’t. I think this is going to have adverse ripple effects on our industry. It will have positive ones, don’t get me wrong, but some of the unintended consequences may be a cultural poison pill. As someone who uses a bit of levity during highly stressful situations, I can see a scenario where everyone must be very corporate, diminishing the talent pool that these companies can gather significantly. If you are curious about the exchange, go to page 37, number 124. If this is the type of thing we are using as evidence, we will all be guilty of humanity. I am not advocating for the belligerent actions of SolarWinds; I’m advocating for the merits of decency in these manners. The problems we face are intractable. It’s more sometimes like first responder police work than accountant work. These are numbers and Excel spreadsheets. These are attack groups with people behind them, using psychology at times. We must talk freely without worrying about being called into court for sarcasm. This will push out-of-band communications, which isn’t a positive move.

Moses Frost

This may be the first time that a CISO has been named in a SEC lawsuit; it certainly has the cybersecurity world buzzing. What will be arguable is the ‘independence’ of the CISO from the rest of the executive team. Should, as the SEC claims, the CISO and not the CEO have responsibility for informing customers and investors? Regardless, the CISO role is about to change for the better.

Curtis Dukes

The issue in this lawsuit is not about the damage but about the coverup. Security professionals should not give unwarranted comfort or unnecessary alarm. Holding suppliers accountable for shipping malicious code is essential to addressing the supply chain problem. That said, while security is the responsibility of line management, staff, including CISOs, may still be accountable for failure to recommend essential, appropriate, and efficient security measures, or for the failure to document rejection of any such recommendations.

William Hugh Murray

There is nothing more important to an information security program than identity. Pick your vendors careful, and document in detail why you accepted the risk to hand this critical information security function to a third party like Okta before the SEC comes knocking.

Johannes Ullrich

Just as the SolarWinds incident pointed out, attackers are very actively trying to compromise highly privileged apps like system management (see ServiceNow item in this issue). The same is obviously true about identity/authentication systems and password managers. But the real lesson on this one is supply chain security – your company is probably using similar third party services as part of reducing costs of employee benefits. These attacks call for compromise hunting around all of those services.

John Pescatore

According to Okta’s own statement (https://sec.okta.com/harfiles) the breach resulted from an employee using their personal Google profile on a company issued device which in turn stored the username and password of the Okta service account into that profile. A clear example of the risks posed by Shadow IT and lessons we should all take on how to ensure corporate credentials don’t leak into personal services.

Brian Honan

Another incident of third-party security issues. Notice that the headline is Okta data stolen, not Rightway Healthcare breach. Now imagine your business is secure authentication and identity management, and the third party is compromised by credential theft. Work to not only assess your third-party providers, but also offer to assist them with shortfalls, you are both stakeholders, not adversaries.

Lee Neely

The old adage, bad things come in threes, comes to mind with Okta. While this is a data breach with one of their third-party vendors, they still have a responsibility to understand the state of security with their suppliers. Companies should review their service level agreements with suppliers with an added focus on cybersecurity and incident reporting.

Curtis Dukes

For those of you around when the Blaster Worm hit, the recent Azure security issues are looking very much like the "trusted computing" moment Microsoft had around 2005. I like the first part about the security of identity, but they could have left out the feel-good statement about AI and international norms.

Johannes Ullrich

Obviously a good thing to see the top of Microsoft realizing the company’s focus had drifted away from “Security is Job 1.” Also, very good to see Microsoft EVP for Security Charlie Bell emphasized more focus on “Secure by Default” though mostly for cloud services vs. operating systems. A bit of irony: both Bell and Microsoft VP Brad Smith spent a lot of time hyping up AI tools are increasing security while just 6 weeks ago Microsoft exposed 38TB of data through the use of AI and insecure defaults on Azure cloud storage…

John Pescatore

Interesting plans on leveraging AI to improve security. As our adversaries are using AI to make more successful attacks, launching initiatives to use AI to help with defense is a logical move. Moving to a model of secure by design/default, while simple to state, and doable for new products, retrofitting your legacy inventory can be daunting, keep an eye on players like Microsoft for clues on getting your arms around that.

Lee Neely

I know it’s not the Microsoft Trustworthy Computing Memo. But it also is an admission that they have moved away from the idea of Trustworthy Computing. Maybe it was on accident; maybe it was on purpose to catch up to the market. Let’s just put it this way: how do you release an API with Microsoft Graph and about 4 years later realize people need telemetry from it?

Moses Frost

Seems a bit like a marketing ploy by Microsoft given its recent cybersecurity stumbles. That said, Microsoft can reassert itself as a champion of secure software development and engineering best practices, similar to what it did with its Security Development Lifecycle in 2005.

Curtis Dukes

The incident seems to be contained to their lucrative parts sales and distribution system. The bad news is the LockBit ransomware gang is behind this, and gave Boeing six days to begin negotiating. In other words, they play hard-ball. While this isn’t finished, Boeing has engaged cyber and law enforcement expertise. If you were in their shoes, could you not only be prepared to engage with the ransomware gang, but also have your cyber and legal response team in play all within six days? To include mitigations to prevent any retaliatory or copy-cat attacks?

Lee Neely

Two observations: 1) Yet another example that even well-resourced organizations can fall victim to a ransomware attack; and, 2) Stay tuned as Boeing reports the cost of this cyberattack, to include lost revenue from business operations.

Curtis Dukes

But since the SolarWinds incident was back in 2021, surely all you ServiceNow users checked for vulnerabilities and compromise back then… This one is really just a good reminder that “misconfigurations” of any piece of software can be like chumming the water to attract sharks. If you need to, pay for pen testing and an external security review to get the need to check and monitor be raised to CEO level. Have the contractor include a link to the SEC charges against SolarWinds.

John Pescatore

The take-away here is to review your ServiceNow ACLs regularly, to include what’s public. Make sure that objects which are marked public, are truly intended to be public. Where you have ACLs which allow for unauthenticated access, but you intend to restrict to logged in users, add gs.isLoggedIn() to the script section.

Lee Neely

APIs, and their representation as widgets, should have a set of permissions to perform actions through the interface. ServiceNow misconfigured the default access control list (ACL) that the widgets check. Vendors are always viewed more favorably when they are transparent in communicating a security vulnerability to their customers and investors.

Curtis Dukes

The short version is Atlassian recommends removing public access to your Internet facing Confluence sites until you’ve got the patch applied. It’s likely simpler and faster to just apply the patch rather than go through two change management iterations, even if treated as an emergency change. It may be time to re-assess the viability of their hosted version where they are taking care of these issues.

Lee Neely

Is Google Chrome or Atlassian this generation of Adobe Reader? It's hard to decide who gets patches more often. If it's by exploit potential, I think Atlassian has probably been responsible for more companies being breached. At least it’s not because of “atlassian123!”

Moses Frost

Remember when Microsoft would not use CVSS scoring? Two decades of CVSS by FIRST and volunteers have continued to improve the tools available to use the scores, but the reality of today’s attacks means patching any software on the path between bad buys and the crown jewels needs to happen - even those “Medium” 6.8s. A realist view of attack probability: “It may only be a 10% probability that an attacker will exploit that 6.8 scored vulnerability, but 90% of the time we fall in that 10%.”

John Pescatore

CVSS 1.0 was introduced in February 2005, version 2 in June 2007, version 3 in 2015. The last change to CVSS scoring was version 3.1 in 2019. Version 4 is intended to help you assess the relevance of a given score, including threat intel and environmental metrics, also incorporating OT/IoT differentiators. Version 4.0 adds additional scoring nomenclature to support that: CVSS-B: CVSS Base Score, CVSS-BT: CVSS Base + Threat Score, CVSS-BE: CVSS Base + Environmental Score and CVSS-BTE: CVSS Base + Threat + Environmental Score.

Lee Neely

I have a question about CVSS that maybe we can all talk about. What is more important, CVSS or CISA’s KEV? In other words, does it matter what your CVSS score across all your software, when a single exploit in your VPN or Load Balancer gets you fully owned?

Moses Frost

Well, it has been eight years since CVSS 3.0 was released, so an update was due. That said, I’m uncertain that the changes will be adopted quickly as some of the new metrics require data from external sources.

Curtis Dukes

The condition of the hospitals has been characterized as “Code Grey” as they still don’t have access to patient records after two weeks. While TransForm is still actively working to recover, the hospitals are still facing work-around measures. The question is how long can you effectively operate on Plan B? (Manual processing or otherwise). Then the really hard part - how will you re-incorporate that data into your systems in a timely fashion, to include provisions where on-line versions are available but not updated? Now schedule a time to run through that scenario in depth.

Lee Neely

While one understands that healthcare systems are stressed, it is both essential and efficient to isolate clinical systems from public network facing applications like e-mail and browsing and employ strong authentication on those applications.

William Hugh Murray

The British Library seems to be a much harder hit than TPL. In this case, the library’s internal systems for providing Internet access to patrons is also offline, having been replaced by local hotspots. As such their web and phone services are also off-line. They are using X (Twitter) to keep the public apprised of their situation. Think about how you’d inform customers if your primary communication paths were offline. Then consider what you can do to separate/protect your public facing services from being impacted when other systems are compromised.

Lee Neely

While Ace has been communicating about what’s on/offline, their employees are feeling uncertainty, having been sent home when their business unit is unable to operate, without assurances they would be paid in a timely fashion. The action here is to make sure that you are taking care of your people when an incident shuts down parts of your operation. Think out of the box, consider partnering with your credit union, or other FI, to provide bridging loans, payroll advances, etc. to reassure your staff they are also being looked after while you’re getting the incident resolved.

Lee Neely