The IT Nerd

This week, CISA, the NFL, Allegiant Stadium, and Super Bowl LVIII partners held a Super Bowl LVIII Cybersecurity Tabletop Exercise to explore, assess, and enhance cybersecurity response capabilities, plans, and procedures ahead of Super Bowl LVIII.
 
The 4-hour Tabletop Exercise brought together more than 100 partners from the NFL, stadium, and federal, state, and local governments in preparation efforts designed to ensure the safety of events at Allegiant Stadium. The collaborators’ aim is to discuss plans and procedures, resources, capabilities, and best practices for protecting against, responding to, and recovering from a significant cyberattack during the event.
 
“This was a safe, low-stress setting to identify any gaps in those plans and ensure we all have a shared understanding of roles and responsibilities. In short, this exercise will help ensure we’re ready for any challenges that come our way on game day,” said CISA’s Deputy Executive Assistant Director for Infrastructure Security Steve Harris.
 
During the exercise, participants discussed a hypothetical scenario that included phishing, ransomware, a data breach, and a potential insider threat – all with cascading impacts on physical systems.
 
“At the NFL, we understand how important it is to practice like you play, and this week’s exercise is the first of many simulations we will conduct prior to Super Bowl LVIII,” said NFL Senior VP and CSO Cathy Lanier.  

George McGregor, VP, Approov had this to say:

   “It is very encouraging to see this exercise was organized by the NFL and partners and CISA.  
Such a workshop should be a critical exercise before any major sporting event, to check that security and contingency plans are complete.

   “Such events have a highly dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale using stadium Wi-Fi and via mobile devices. As a key part of this exercise, mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation. “

Table top exercises like these ones are good because it makes sure that all parties are on the same page. Let’s hope that the lessons learned from this exercise aren’t ever needed.

In its first binding operational directive (BOD) of the year, CISA is giving federal civilian agencies just 14 days (from discovery) to lock down Internet exposed network devices. Binding Operational Directive 23-02. The directive applies to all network devices with Internet exposed management interfaces such as routers, firewalls, proxies, and load balancers that grant users admin access to the network. 

CISA said it will be conducting scans to identify devices that fall under the BOD scope and notify agencies of their findings.

“Agencies must be prepared to remove identified networked management interfaces from exposure to the internet or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself,” they added.

Neal Dennis, Threat Intelligence Specialist, Cyware had this to say:

   “Controlling your exposure to the internet is critical to any security posture, the more devices directly accessible, the more chances for threat actors to do their thing. Adopting a Zero Trust methodology is a solid option, one that could limit both security concerns directly to the exposed device as well as accesses to connected systems should that device be compromised. A solid Zero Trust approach does not solve all security problems, but it definitely helps limit impact should a breach occur.

  “I view this as a very impactful move by CISA and shows they are taking their role seriously. All organizations, public and private, should strive to limit their publicly accessible internet footprint. Less exposure equals less targets for threat actors which equals less devices you need to monitor for initial incursions, giving you more resources to hopefully monitor critical assets.”

It’s good to see that the CISA is taking this seriously. And it would be in your interest to do the same thing if your company, or you at home have devices exposed to the Internet as threat actors will pwn anything if given the chance.

 The CISA planning to release a white paper on software identity this week at their “SBOM-a-Rama” as part of an effort to understand vulnerabilities.

Joe Saunders, CEO, RunSafe Security had this comment:

Identifying vulnerabilities in software begins with identifying what’s in your software. We look forward to contributing our approaches on these matters because with the collective input we can develop a way to dramatically reduce the attack surface and develop ways to dramatically change the economics of cyber attack back in favor of the defenders. This is a unifying opportunity for the entire industry.

Everything that we all do in terms of identifying vulnerabilities in software and addressing them is a good thing. The reason is that it takes away one avenue for the bad guys to pwn you or your environment.

CISA and NCSC along with their equivalents in Canada, Australia and New Zealand have published Cybersecurity Best Practices for Smart Cities designed to help stakeholders build protections into new systems from the planning stage.

The document warns that due to the intrinsic value of the large data sets, not only are smart cities vulnerable to financially motivated cyber-criminals but with complex, automated supply chains, terrorists could paralyze critical services and even cause physical harm or loss of life.

While currently infrastructure services are separate, the challenge for defenders is that by integrating all systems into a single-network landscape, they will expand the digital attack surface for each participating organization, while making visibility and control more challenging for security teams.

Key recommendations are as expected and suggest that planners undertake:

• Secure planning and design: principle of least privilege, MFA, zero trust architectures, prompt patching, device security, and protection for internet-facing services
• Proactive supply chain risk management: covering the software supply chain, IoT and device supply chains, and managed/cloud service providers
• Operational resilience: backing up systems and data, workforce training, and incident response and recovery

Carol Volk, EVP , BullWall: (she/her)

   “This effort by the US and other nations is a commendable move towards promoting cybersecurity in the planning and design of smart city systems. It highlights the recognition of the inherent risks associated with large data sets in smart cities and the need for proactive measures to protect against cyber threats.

   “The emphasis on secure planning and design, proactive supply chain risk management, and operational resilience in the recommendations is crucial in ensuring the security of smart city systems. 

   “In particular, recognizing the risks of centralizing too much data in smart city systems is significant. Centralized data can become a single point of failure and will attract malicious actors like bees to honey. Governments must consider the balance between data centralization for operational efficiency and the need for data protection and privacy. Even the best planning will be thwarted by determined attackers, whether private or nation states. After watching ransomware attacks increasingly evade the best preventative measures, we need solid detection and containment layers as standard fare in these new network designs.”

Bryson Bort, Founder and CEO, SCYTHE had this to say:

   “I have worked smart city security in various countries since 2015. The joint country collaboration on best practices is particularly interesting in this case. The smart city of tomorrow promises a better way of life for its citizens with possibilities like re-routing traffic with sensors but must design for resilience and protective measures to assure the digital traffic doesn’t hit any potholes.”

Corey Brunkow, Dir of Eng Operations, Horizon3.ai follows up with this:

   “The CISA doc is pretty general but has links to useful information and has a section on Supply Chain Security Guidance which is critically important as the recent Toyota Supply Chain attack demonstrated.    This specific section from the UK NCSC addressing supply chain security guidance seems particularly relevant for best practices similar to what is needed.  

1. Understand the risks
2. Know who your suppliers are and build an understanding of what their security looks like
3. Understand the security risk posed by your supply chain”

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Smart cities are here, and we will see more and more cities adopt these practices – both with technology innovation as well as with government services. CISA recommendations are logical, yet they are far from reality. They may seem like basic functions yet today there are no vulnerability-free environments, the speed of patching is never real-time, zero-trust is a continuous journey, not a one and done. Smart city infrastructure will be distributed across many vendors and many teams, inevitably resulting in an increased attack surface that will lead to security breaches if not handled properly.

   “It is critical for the foundation of smart cities to be connected and based on strong automation, as with the private sector, resources are limited but effective security practices must be put in place to safeguard identity data. The approach must include both proactive measures and a defense-in-depth approach assuming compromise and readiness when a security breach occurs. Success will be evaluated by how fast they are able to get back online.”

Smart cities are going to be considered critical infrastructure in the not so distant future. Thus it’s good to see that there are these guidelines are out there to make smart cities as safe as possible.

On Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this to say:

   “CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.

   “CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.

   “Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”

Dave Ratner, CEO of HYAS follows up with this:

   “We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.  

   “Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”

This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.

The CISA has added two vulnerabilities to its list of actively exploited bugs. Specifically the code injection in the Spring Cloud Gateway library and the command injection flaw in Zyxel firmware for business firewalls and VPN devices. 

Artur Kane, VP of Product for GoodAccess had this to say:

“Zero-day vulnerabilities are inevitable in SW and HW engineering. Sometimes this may be due to a flaw in the design, but often it is a goofy engineer who makes a wrong decision when under pressure to deliver on time. Attackers have loads of time to discover and access vulnerabilities. Then, such intelligence is sold on the dark web, hence it can spread rapidly in the community. Companies should look for such vendors who have a proven record of responding fast to zero-day vulnerabilities by issuing patches fast, who also have sufficient security certifications and standards. IT experts have options to mitigate the risk and impact in their hands too, by having regular vulnerability assessments and patching and updating programs in place. If the organization can’t meet such precautionary practices, they should also consider replacing their technologies with applications delivered as a SaaS, where there’s no self-hosted HW (with firmware) and/or software. Patching is done on the level of the application infrastructure and in most cases, much faster as it is in hands of the vendor. When all these processes fail, as they sometimes do, it is a good practice to implement processes that minimize breach impact (micro segmentations, zero trust access, etc.) and incident response and remedial action plans.”

I would make it part of your security process to check the CISA list of exploited bugs so that you know where to focus your efforts on so that you don’t get caught with your pants down, metaphorically speaking. Also, you should look at SaaS as this takes all the guesswork out of this.

If you use a MSP or Managed Service Provider to assist you in managing your IT infrastructure, or you are a MSP, you should pay attention to this. Members of the Five Eyes (Canada, USA, UK, Australia, New Zealand) today warned that managed service providers (MSPs) and their customers are being increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies have shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. 

Aimei Wei, CTO and Founder of Stellar Cyber had this comment:

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples.” 

“Implementing the measures and recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages. MSP should consider implementing a detection and response system that:

• Detect early signs and stop it before further progression to minimize the damage
• Show a clear picture of how it happened to conclusively determine that the attack has been contained
• Show how far it has gone and understand the impact to determine the customers that are impacted quickly”

Saumitra Das, CTO and Co-founder of Blue Hexagon adds this comment:

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack. Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network.”

Finally, Christopher Prewitt who is the Chief Technology Officer of MRK Technologies had this to say:

“Managed Service Providers are always under attack. They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices. As an attacker, if I can breach and impact an MSP, my impact has an exponential outcome. We continue to see this IT supply chain be targeted through Kaseya and MSP’s.”

This warning is worth reading as it has a lot of recommendations to protect against attacks. Thus I would put aside time to read and implement these recommendations.