By Andrew Paulette
1.) Risky Business #455 — What a mess (May 17, 2017)
Summary: On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show.
Why it matters: Need a deep dive into the past week of information security insanity? This week’s Risky Business will help make sense of the whirlwind of news, remove the misinformation, and help provide a clear sequence of events and analysis of the historic ransomware worm. The take away from this podcast?
“North Korea is ransomwaring things with NSA exploits stolen by the Russians for made-up money called cryptocurrency. You wouldn’t even understand what I said if you heard it 10 years ago.”
Well worth a listen.
2.) Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft (May 17, 2017)
Summary: After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.
Why it matters: While long suspected, The Washington Post article referenced by Ars Technica is the first confirmation we’ve seen that the NSA provided warning to Microsoft regarding the compromised group of “Eternal” exploits leaked by Shadow Brokers in April of this year.
Especially interesting in this article is the write up on the NSA’s efforts to avoid this vulnerability being burned by severely controlling its use in the early stages when the attack was less reliable and could cause blue screens quite often. A zero-day exploit is only good for as long as it is unpatched. As a result, intelligence agencies who utilize these attack techniques must juggle the risk of having these zero-days burned in the real world with the reward of any intelligence gained from use of the exploit.
3.) Cyber attack eases, hacking group threatens to sell code (May 17, 2017)
Summary: Governments turned their attention to a possible new wave of cyber threats on Tuesday after the group that leaked U.S. hacking tools used to launch the global WannaCry “ransomware” attack warned it would release more malicious code.
Why it matters: The potential list of vulnerabilities listed as part of the “monthly subscription” by Shadow Brokers is certainly concerning, including exploits for handheld devices (Android and iOS), as well as data on previous attacks against nation-states. While this could be another red herring thrown by Shadow Brokers to confuse their adversaries as to their true intentions (such as when they first offered the NSA exploits for sale on the black market), the potential damage if they follow through with this “offer” is quite serious.
4.) Survey: Unpatched Windows OS on the Rise (May 17, 2017)
Summary: Computers running unpatched Windows operating systems in the US rose to 9.8% in the first quarter, up from 6.5% a year ago, according to the Country Report released this week by Secunia Research@Flexera.
The data also revealed that while unpatched Windows OS was on the rise, the percentage of vulnerabilities that started in the OS in the US also grew to 36% in the first quarter, from 21% a year ago. These statistics may seem surprising, given that 81% of vulnerabilities in all products last year had patches available on the day they were disclosed, according to Flexera’s annual Vulnerability Review.
Why it matters: In the wake of the global WannaCry incident, Flexera’s recent vulnerability review does not bring good tidings for the future security posture against global malware outbreaks. Organizations should consider comply-to-connect initiatives such as those being implemented on the Air Force Network, which would reduce the attack surface on organizations’ networks as well as give IT staff a faster notification when assets are experiencing errors in updating to the newest patches.
5.) Trump signs cyber EO promoting IT modernization, shared services (May 11, 2017)
Summary: Agencies should no longer be on an island when it comes to cybersecurity. The White House is requiring agencies to take an enterprise approach to cyber risk assessment and mitigation, and stop protecting their networks and data as if their efforts don’t impact their fellow departments.
Why it matters: While the details of President Trump’s recent Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is not necessarily providing any new guidance that cybersecurity experts didn’t already know, it is a step in the right direction. This order directs departments and agencies to follow the foundations of cybersecurity which often seem forgotten, such as holding senior leadership accountable for cybersecurity risks and conducting appropriate risk management (including noting where risk acceptance is practiced). In addition, the focus on critical infrastructure is especially important, given the potential costs and loss of life in the event of successful attacks against this infrastructure. You can read the executive order here: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.