Bad actors are always looking for access to networks of interest and business systems. Vulnerabilities and software flaws are an ongoing concern. We need to be vigilant. Yet the fact that the NSA in October warned against state-sponsored hackers exploiting “publicly known vulnerabilities” suggests cyber hygiene still isn’t getting enough attention.
Let’s put it in a context that will resonate in the midst of the COVID-19 pandemic. We’re all being asked to wash our hands and wear masks. These are simple precautions we can take to protect ourselves and others. Still, some aren’t doing so.
Cyber hygiene is the same. Cyber criminals are going to turn any known vulnerability or software flaw into a compromise opportunity. This makes ongoing security maintenance and installing the latest patches incumbent on those professing to provide Internet security.
The NSA’s advisory regarding Chinese state-sponsored cyber actors is a sad commentary on the state of cybersecurity today. Vulnerabilities in software are expected, so failing to address them is reckless, if not negligent when patches to fix them are available.
Cyber Hygiene Complications
As SANS noted all of the flaws are known and have fixes already available. The vulnerabilities the NSA cited have already “been heavily abused by ransomware gangs, crypto coin miners and essentially anybody interested in breaching a corporate network.” Some of the vulnerabilities date back to 2015.
Yes, keeping up with all the vulnerabilities is challenging. Security threats can impact operating systems, applications, libraries and even pieces within libraries. It can be a lot to monitor and manage.
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” Anne Neuberger, the director of the NSA Cybersecurity Directorate, said in a statement quoted by cyberscoop.com.
But there’s no way around it. It is reckless not to prioritize patching and mitigation.
The importance of shielding potentially vulnerable systems from unauthorized users cannot be undervalued. Doing business online with vulnerable software or systems is akin to spending time on a COVID ward — without any protective gear. Or, to use a potentially less charged metaphor, it’s like driving a Ford Pinto on the Internet highway.
Vulnerabilities and Exposures Identified
The NSA should not still be sending out Cybersecurity Advisories warning against such familiar Common Vulnerabilities and Exposures (CVEs). The vulnerabilities recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors included:
- CVE-2019-1040 — A tampering vulnerability exists in Microsoft Windows® when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
- CVE-2019-0708 — A remote code execution vulnerability exists within Remote Desktop Services®10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
- CVE-2020-0688 — A Microsoft Exchange® validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory.
Of the 25 known vulnerabilities, seven were for Microsoft (Windows®; Windows Server®; Windows Exchange Server® products) and four were for Citrix® (Application Delivery Controller (ADC) and Gateway, SDWAN WAN-OP). Oracle, Atlassian, DrayTek, Adobe, F5, Zoo and Symantec products were also on the list — along with their fixes.
The NSA noted the primary targets are remote access and external web services and suggested they “should be prioritized for immediate patching.”
Putting a Cyber Mask on to Mitigate Risk
At Calyptix we work with IT security providers who do their best to keep systems and products updated and patched. They implement new upgrade releases quickly. These cyber good guys also, as the NSA suggested in its advisory:
- Disable external management capabilities and set up an out-of-band management network
- Block obsolete or unused protocols at the network edge and disable them in device configurations
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network
They know patching won’t alleviate the problem of data stolen or modified (including credentials, accounts, and software) before maintenance. So, they also encourage password changes and reviews of accounts as a good cyber hygiene practice.
Yet there are still vendors, service providers, end customers and end users out there that continue to disregard the importance of cyber hygiene. By failing to patch systems and software, these parties are recklessly endangering our society and our resources. Indifference permits malicious actors to steal financial resources and intellectual property from organizations and even jeopardizes the safety, integrity and reliability of critical infrastructure systems.
Shielding Systems from Attack
No industry is safe. The Chinese hackers have targeted security as well as “entities in the telecommunications, healthcare, financial, transportation, petrochemical, and manufacturing sectors as well,” according to research published in March.
Managed services for IT systems is not a scam; it’s essential, just ask the NSA. If your organization is not actively patching and maintaining your systems exposed or accessing the public internet, either directly or with the aid of a managed services provider (MSP), you are part of the problem.
Reputable managed services providers (MSPs) take safeguards seriously. They provide patch management and review systems regularly to shield systems from the public Internet and active exploits the NSA described.
Calyptix’s current version of AccessEnforcer 5.0 adds Gatekeeper and Geo Fence (along with existing Lan Lockdown) to make it even easier for MSPs to implement cyber hygiene that makes their customers’ organizations defensible.