Cybersecurity Update: September 16, 2022
About the “Cybersecurity Update:”
The Cybersecurity Update is a periodic post in Medium and contains news about Cybersecurity, Information Technology, Network Security, and Securing our IoT/SCADA Networks and Databases.
Aside from the news being presented, a discussion of approaches that a cybersecurity professional (or individual) can take pertaining to the updates is also discussed. The intention is to not only bring you the cybersecurity news, but to also discuss with you possible strategies of addressing items posted in the cybersecurity update.
Please follow along. Please send me any additional suggestions for addressing any of the updates, suggestions for videos/content that you’d like to see/read, or just keep in contact. My info is provided below.
TOPICS TODAY INCLUDE:
1. Microsoft Patch Fixes Zero-Day Elevation of Privilege Vulnerability
2. Zero Trust Applied to the Mobile World
3. NIST Suggests Agencies Accept the Word of Software Producers Per Executive Order
Item 1: Microsoft Patch Fixes Zero-Day Elevation of Privilege Vulnerability
Several threat researchers identified vulnerabilities in the Microsoft operating system environment. On 13 Sep 2022, CVE-2022–37969 was documented. According to Microsoft, this vulnerability requires that an attacker already have access to a compromised system, or the ability to run code on the target system. It was also determined that this vulnerability was a stand-alone vulnerability and not related to other CVE’s or exploits. Since this vulnerability requires little skill to take action on, it was determined by researchers that it’s only a matter of time before CVE-2022–37969 is exploited widespread by threat actors.
The affected Microsoft Systems include:
· Windows: 7, 8, 9, 10, 11
· Windows Server: 2008, 2012
Microsoft noted mitigation recommendations too. It is recommended that individuals (organizations) update their Microsoft systems as soon as possible.
Actions that we can take include:
Review security notices can come into awareness from multiple fronts. For example, security notices can be from:
• A SIEM Notice: A SIEM (Security Incident and Event Management), Threat Intelligence, Notices sent to an organization, Notifications sent by the National Vulnerability Database, etc. Based on the level indicated by the CVSS (score), the vulnerability will need to be patched (see timeframes noted in the CVSS score). A SIEM is a solution (can combine hardware/software) that helps organizations detect, analyze, and respond to security threats before they harm business operations.
• Threat Intelligence Service(s): Threat Intelligence is evidence-based information about cyber-attacks that cyber security experts organize and analyze. This information may include:
• Mechanisms of an attack
• How to identify that an attack is happening
• Ways different types of attacks might affect the business
• Action-oriented advice about how to defend against attacks
• National Vulnerability Database (NVD): The NVD is the U.S. government repository of standards based (NIST) vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance.
· Notices from vendors: Mitigate based on the vendor’s security update recommendations (in this case, Microsoft)
Use of a Patch Management system
The patch management process is quite involved and will support the cybersecurity posture and resiliency of an organization. While this article is not a comprehensive study of patch management systems, the general process of a patch management system (see Figure 1: Patch Management Process, above) includes the following:
1. Updates Vulnerability Details from Vendors: Vendors will often update their product (SIEM, etc.) with known vulnerabilities, including vulnerabilities from the National Vulnerability Database.
2. Scan the Network: A periodic scan of the network is done to compare the known vulnerabilities (hardware, software, firmware, etc.) to an established baseline of system objects on the information system.
3. Identify the vulnerable systems: The scan will reveal any components on the information system that are vulnerable and that can possibly be patched.
4. Download and deploy patches: The patch management system will download relevant patches and will deploy those patches to information system components.
5. Generate Status Reports: Upon successful or unsuccessful patching, a status report is generated to show the disposition of information system objects and any remaining vulnerabilities that were not addressed.
Item 2: Zero Trust Applied to the Mobile World
As noted in prior articles and YouTube videos, the main tenant of ZTA is to Trust no one (hardware, software, objects, users, processes, etc.) on the network and simultaneous verify! In May 2021, President Biden issued an Executive order on improving the Nation’s Cybersecurity, requiring the federal government to implement ZTA across agency infrastructure.
There are several issues with a Bring Your Own Device (BYOD), as it relates to an organization’s information system and cybersecurity posture. While a company policy that may allow Employees to BYOD to work (e.g. attach a user-device to the organization’s network) this allows the flexibility to access organizational resources remotely or when teleworking, but can be a cybersecurity risk to the organization. The organization may not fully know the security profile of a BYOD device. By not knowing the security profile of an employee’s device, the device can introject risks into the organization’s network.
The NIST document, “NIST SP 1800–22: Mobile Device Security” recommends that organizations use both a standards-based approach and commercially available technologies to help meet their security and privacy needs when permitting personally owned mobile devices to access enterprise resources.
Item 3: NIST Suggests Agencies Accept the Word of Software Producers Per Executive Order
An Executive Order (EO) entitled “Executive Order on Improving the Nation’s Cybersecurity” was issued by President Biden on May 12, 2021 (EO 14028). The EO resulted in NIST creating supporting and operational documentation. The first round of 5 NIST documents was released on Friday, September 9, 2022.
The intention of EO 14028 is to respond to the growing number of cyberattacks on the government and the critical infrastructure of the US. Further, the EO establishes a framework for how the government and private sector should work together to improve the nation’s cybersecurity posture. Also, the EO encourages a voluntary program for organizations to share and participate in the identification and management of cybersecurity risks.
Currently, contract terms and/or contract restrictions may limit the sharing of cyber threat or incident information with executive departments and government agencies responsible for investigating or remediating cyber incidents, such as the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). The EO is focused on removing these restrictions and has recommended that the FAR council and other appropriate agencies (DFARs for example) update proposed contracting language to emphasize the intention of collaboration for cybersecurity between the government and private partners.
The intention of the framework is to modernize and strengthen governmental cybersecurity standards by providing agencies with a common set of standards (e.g. a playbook) to protect data and systems. As a main component of the EO, the software supply chain security is noted, due to the reliance on software for critical operations. Further, key access points are highlighted in the EO to ensure that only trusted and verified software is used. This item notes a strong need for the secure software development lifecycle (SSDLC).
To this end, the EO highlights also notes that companies that use Commercial-Off-The-Shelf software need to develop a SBOM (Software Bill of Materials) to track components and to ensure that suitable updates are appropriately applied in a timely manner.
Between the vendors that produce software and organizations that use software, the verification of security remains with the software vendor. This was noted in the release of five NIST documents this past Friday (September 9, 2022). The five documents emphasize the use of the SSDLC and self-attestation of vendors that develop software for the government and the defense industrial base. The five documents that were released on Friday are:
- Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
- NIST Special Publication 800–218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities
- Recommended Criteria for Cybersecurity Labeling of Consumer Internet of Things (IoT) Products
- Recommended Criteria for Cybersecurity Labeling of Consumer Software
- Consumer Cybersecurity Labeling Pilots: The Approach and Feedback
While NIST highlighted self-attestation (aka first-party attestation) in contrast to external (second-party or third-party) attestation, the 5 documents — in general — emphasize (a) security IoT software development, (b) the use of the Secure Software Development lifecycle, © signing of software components by the developer, and (d) the cooperation of software and hardware developers in a standardized cybersecurity framework to foster better communication and cybersecurity resiliency of federal and DIB systems.
In general, this approach noted by NIST to address the EO removes many of the existing inter-agency obstacles and focuses on a common framework for cybersecurity used across all governmental agencies. Further, the proposed process for software producers is like the DFARS NIST 800–171r2 self-attestation. In an OMB (Office of Managemetn and Budget) memo dated September 14, 2022 (link: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf) noted the following: “If the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones (POA&M) to be developed,”. Also, the memo further states that “If the software producer supplies that documentation and the agency finds it satisfactory, the agency may use the software despite the producer’s inability to provide a complete self-attestation.” This approach places the oneness of verification of the software producer’s self-attestation on the agency using the given software.
While NIST is tasked with how to make the EO actionable, the self-attestation by software producers may, IMHO, need a further deeper dive, as verification of the self-attestation appears to be on each agency’s shoulders. For example, a set of self-attestation documents that are submitted by software producers should follow a prescribed set of controls (the controls have yet to be fully delineated in my review of the NIST documents). An external review group outside of individual agencies should review the submitted self-attestations to ensure that software vendors are following the list of compliance controls. While there is little mention of external auditors to vet the software security compliance process in the NIST documents that were issued on Friday, an external auditing agency may be needed to ensure overall adherence with the developing software security controls and standards that NIST is addressing to adhere to the EO.
References
• Item 1: Microsoft Security Update Guide example: https://msrc.microsoft.com/update-guide/
• What is the National Vulnerability Database?: https://nvd.nist.gov/
• What is Threat Intelligence?: https://www.vmware.com/topics/glossary/content/threat-intelligence.html
• Item 2: Zero Trust Applied to the Mobile World: https://www.rsaconference.com/library/Blog/zero-trust-applied-to-the-mobile-world
• Executive Order on Improving the Nation’s Cybersecurity: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
• NIST SP 800–207: Zero Trust Architecture: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
• NIST SP 1800–22: Mobile Device Security: Bring Your Own Device (BYOD) Draft: https://www.nist.gov/news-events/news/2021/03/mobile-device-security-bring-your-own-device-byod-draft-sp-1800-22
• Item 3: NIST Suggests Agencies Accept the Word of Software Producers Per Executive Order: https://www.nextgov.com/cybersecurity/2022/02/nist-suggests-agencies-accept-word-software-producers-executive-order/361644/
• Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e: https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/software-supply-chain-security-guidance
• NIST Special Publication 800–218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: https://csrc.nist.gov/publications/detail/sp/800-218/final
• Recommended Criteria for Cybersecurity Labeling of Consumer Internet of Things (IoT) Products: https://doi.org/10.6028/NIST.CSWP.02042022-2
• Recommended Criteria for Cybersecurity Labeling of Consumer Software: https://doi.org/10.6028/NIST.CSWP.02042022-1
• Consumer Cybersecurity Labeling Pilots: The Approach and Feedback: https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/consumer-cybersecurity-labeling-pilots-approach
• Memorandum for the Heads of Executive Departments and Agencies: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
