March 22, 2022

Good morning, everyone!

The latest critical vulnerabilities: WordPress released a major update to address three security flaws. Users are encourged to update immediately. Linux kernel patches have been released to fix the “Dirty Pipe” exploit. QNAP warns users that most of its NAS devices are vulnerable to Dirty Pipe and should be blocked from Internet access (honestly, all your NAS devices should be blocked from Internet access anyway). Many MikroTik devices have been infected with TrickBot malware, and Microsoft has released a free scanning tool that will detect infected devices. Unpatched ASUS routers and WatchGuard Firebox devices are being actively targeted. Patch All the Things!

Configuration is Everything

You have read past editions of this newsletter where I talk about the importance of proper configuration, especially in the cloud environment. One big incident in the news this past week is a glaring example:

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.

The report details three crucial mistakes that allowed this to happen:

(1) The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password.

(2) The victim account had been un-enrolled from Duo [MFA] due to a long period of inactivity but was not disabled in the Active Directory.

(3) As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.

Each of these mistakes is easily mitigated by standard security practices:

(1) Enforce password complexity policies.

(2) Disable inactive accounts.

(3) Change vendor-default configuration settings.

See how easy it can be to avoid a cyber incident? Basic Cyber Hygiene.

In case you thought they weren't serious Last October, the Department of Justice announced its new Civil Cyber-Fraud Initiative to "leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls cybersecurity fraud." Last week, they settled their first case for $930,000 from Comprehensive Health Services (a government contractor) for allegedly failing to use a secure Electronic Medical Record system that they had installed to protect patient data. Say what you do, and do what you say.

Go forth and be secure! and have a great week.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺