Breach Impacts Snowflake Cloud Customers; Zero Trust Survey; PoC for Check Point Vulnerability Released

It is unclear at this point how much of this is a Snowflake issue and how much of this is a customer problem. Just because the provider offers stupid authentication options doesn't mean you have to use them.

Johannes Ullrich

Rotate those TicketMaster credentials and enable two-factor authentication. While some of the details about how data was breached are changing, the constant is that reusable credentials were compromised. Your task is to verify that you require MFA for all access to third-party services, as well as understand their level of access and access control mechanisms. Make sure you have access control rules to only allow authorized users and systems to access these services. Are you getting logs to your SIEM? Verify you have plans for rotating credentials if required/compromised.

Lee Neely

Kudos to Snowflake in responding to the reports of the breach so quickly and in identifying the cause was not a breach of their systems. It appears the cause of these breaches are client accounts with weak or compromised passwords married with a lack of Multi-Factor Authentication enabled. This however should not let Snowflake off the hook entirely. As we become more and more reliant on cloud service providers, those same cloud service providers need to take a more proactive approach to ensure their user base has appropriate security controls in place, such as making MFA on by default, better integration with clients' Identify and Access Management platforms, providing better access to security logs, to mention just a few.

Brian Honan

Since the user count on this one is so high, good idea to remind employees that if they used Ticketmaster, they need to update every other place they used the same password. The high impacted user count will also exacerbate finger pointing on who is actually liable for the breach.

John Pescatore

The blame game continues. Credential theft is a top enabler for many security incidents. Evildoers know this and often target third-party service providers to maximize the attack and potential payoff. Bottom line: what’s common between Ticketmaster and Santander is the use of Snowflake; that fact isn’t under dispute.

Curtis Dukes

Compliance does not necessarily lead to security but is better than non-compliance. Reducing risk in general, and of breaches in particular, is a better strategy. However, risk management requires special knowledge, skills, ability, and experience. The last is in particularly short supply.

William Hugh Murray

It is refreshing to see companies change their focus from compliance to a risk based approach. Having an effective compliance program in place may not necessarily result in effective security, but having an effective risk management program has a much better chance of not only resulting in effective security but also in meeting compliance requirements.

Brian Honan

Part of this change in mindset has been an increasing number of cybersecurity settlements at both the state and federal level, where organizations are being held accountable for data breaches. In addition to a monetary penalty, companies also agree to implement significant remedial efforts to better protect customer data. It’s part of a ‘wakeup call’ to organizations to implement reasonable cybersecurity.

Curtis Dukes

Zero Trust is burdened by both technology and culture change. It's not as simple as dropping the firewall and requiring MFA on every entry point. The pillars that support Zero Trust include base improvements to cyber security posture which have benefits even if you're not going full ZTA. Go through the NIST's Zero Trust Maturity Model to look at where you can raise the bar. Look to existing capabilities which are already included in products and services, such as encryption at rest and in transit from IaaS and SaaS providers, information protection, classification and monitoring from your office productivity suite and MFA capabilities in your IDP which may have been overlooked.

Lee Neely

The PoC demonstrates how to retrieve the "/etc/shadow" file, showing how Checkpoint is yet another security appliance running its web server as root. While passwords are reasonably well hashed, they will be brute forced if they are too simple. We are also seeing already some scans for this vulnerability.

Johannes Ullrich

If you were putting off deploying the hotfixes, that window has closed with the POC. Attackers are focused on compromising old local accounts with password-only authentication. You need to make sure that you not only follow the post-hotfix (important extra measures) instructions on the CheckPoint site, which addresses local accounts, but also check for IOCs to make sure you're clean. CheckPoint is helping affected customers resolve any exploitation, and the severity has been raised from 7.5 to 8.6.

Lee Neely

If you’re a user of the Check Point Security Gateway, don’t worry about checking to see if you’re vulnerable – you are. Go ahead and implement the hotfix and save yourself from additional work.

Curtis Dukes

Even customer owned modems are usually managed and provided with custom firmware. Your best bet is to consider the modem as "hostile" as the rest of the internet. Configure it in "bridge" mode and use your own firewall/router to provide access control and protect your own devices.

Johannes Ullrich

Good to see a path forward. NVD is too important to get ground up in inter-agency competency battles. Let’s hope Analygence is actually delivering. Personally, I would have loved to see an academic partnership, but as long as this leads to a reliable product, I am all for it.

Johannes Ullrich

Seems like it was just yesterday they said they were going to hire a company for this. That they moved this quickly indicates how seriously they are taking solving this problem. A big advantage here is that Analygence can use their hiring practices rather than the somewhat more onerous agency processes to rapidly staff up, or down, as is required to absorb the workload. Even so, don't expect the backlog to be resolved before September.

Lee Neely

"Spaces" is essentially a "container as a service" or "serverless" platform. As other providers in this space have learned, cross-tenant security is hard if not impossible in these scenarios. But given the business need to rush out have backed AI features, it is very appropriate for organizations to upload proprietary data to these platforms to stay ahead of the competition.

Johannes Ullrich

Hugging Face has made the new default fine-grained access tokens, which they strongly suggest switching to. They have also eliminated org tokens which will help with audit and traceability as well as implemented a key management service for Spaces secrets, which will improve their ability to revoke and manage these.

Lee Neely

Manifest V3 is intended to improve security, privacy, performance and trustworthiness of extensions. V3 limits extension access to user network requests, forces users to include all functions locally (no more remote code), move request modifications and background page requests to service workers in the browser. This has impacts on extension behavior, particularly those which were updating content/functionality dynamically. Check the extension developer page for information on how their Manifest V3 version will work.

Lee Neely

This affects kernel versions between 5.14 and 6.6, which means your RHEL 9 systems as well as AlmaLinux, Debian, Gentoo, SUSE, and Ubuntu need to be updated. The good news is that patches were made available in February, so push those updates if you haven't already. The not so good news is POC code was published in March, which claimed 99.4% success rate as well as the vulnerability being trivial to exploit.

Lee Neely

Exploiting the flaw requires network access to the system as well as privileges to add new macro languages. Even if none of your users has those privileges, apply the update to remove the vulnerable code; future you will appreciate this. It's also a good time to revisit the choice to host Confluence locally. Make sure those drivers haven't changed. Note that FedHIVE offers a FedRAMP High Jira/Confluence SaaS environment.

Lee Neely

Now that that’s settled, the notices can be sent and victims notified. Change Healthcare should pay all costs associated with this security incident to include credit monitoring services.

Curtis Dukes

My understanding is that Change Healthcare handled 1 in 3 medical records and processed half of all medical claims in the US at the time of the breach. Change Healthcare's parent, UnitedHealth told congress that about one-third of Americans had information accessed by the hackers. Having Change Healthcare file the breach notification on behalf of others will help with a consistent and likely non-redundant message. Given that there is a one-in-three chance your information was compromised, don't stop at go: go directly to credit monitoring/data validation.

Lee Neely

The root cause for all three vulnerabilities is lack of input sanitization. After you've verified the plugins are updated, you need to make sure you're not compromised. Review user accounts, particularly those with admin privileges, check for files with unexpected modifications, particularly injected scripts, and look for outbound requests to Yandex tracking links or pixels.

Lee Neely

It is sufficient to say that WordPress plugins are being actively exploited. Experience indicates that WordPress plugins are high risk. They should be used only by design and intent, never by default. Those used must be monitored and managed for risk.

William Hugh Murray