Dismissed employee decimates ex-employer’s Cloud servers

This story highlights the risks of enhanced privileges when employees leave.

Good leaving procedures, ideally making good use of automation, is an important element of personnel security in such processes.

https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/amp/

Aluminium maker battles to contain ransomware attack

A significant news story this morning. This underlines the importance of a range of security measures, including network segmentation.

It is also important to carry out risk assessments and treatments that target business critical systems with security controls reflecting what is likely to be a heightened risk appetite.

Reuters: https://uk.reuters.com/article/us-norsk-hydro-cyber/aluminum-maker-hydro-battles-to-contain-ransomware-attack

Windows 7 support will end soon – Microsoft

The US Department of Homeland Security CISA covered the impending end of support for Windows 7 support today.

What date will support end for Windows 7? It’s January 14, 2020. With enterprise refresh plans taking a long time, it’s now that obsolescence planning needs to start, to avoid the risks of unpatched platforms.

After this date, Windows 7 will no longer receive technical support, software updates, or security updates or fixes.

Read more at US-CERT – Microsoft Ending Support for Windows 7

The Microsoft End of Support FAQ has lots of useful information, see – Microsoft End of Support FAQ

What can you do in your business to better manage this upcoming development, and similar ones in the future?

  • Review your installed software base using automated licensing tools
  • Manage your operating environments
  • Ensure all operating environments, to the fullest extent possible, are in-support and receiving updates
  • Carry out rigorous risk assessment and treatment for obsolete platforms
  • Implement a patch management plan and policy
  • Implement an obsolesecence management plan
  • Consolidate your enterprise environment to fewer better-managed operating systems

TAs leverage legacy email protocols to bypass MFA

An interesting article by ProofPoint. This has been a weakness in many MFA architectures particularly email for a long time now, where application specific passwords have been used to mitigate the threat.

Hopefully we will see some innovation in authentication schemes for legacy protocols, but it might not be easy due to inherent protocol limitations.

This underlines the importance of:

  • MFA access to external non-VPN email (e.g. OWA) through controlled access routes
  • Removing Internet facing legacy email services such as POP3 and IMAP
  • IDS systems on your perimeter network
  • In house or outsourced SOCs 24×7

See https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols

CMU CERT on ASLR – assumptions a bad idea

Some time ago I wrote a blog post on the topic ASLR, DEP and similar protections offered by Windows.

As I discussed at the time, it’s very easy to make assumptions about these kinds of protective schemes that in many cases fail to hold.

This is because, in the absence of mandatory protection policies, the protections are controlled by the PE executable header flags, which effectively opt-in binaries.

I stumbled across a post by CMU CERT on this very topic by Will Dormann recently, which complements my earlier blog post very well. Worth a look.

This is, of course a very good motivation for:

  • Using the latest version of software
  • Maintaining patch management policies and plans
  • Auditing software, particularly binaries with a heigtened attack surface (e.g. public facing daemons)
  • Protecting legacy software systems

SANS Security Awareness: Forwarding Email

SANS Security Awareness regularly produce useful information that can be used by SMEs and enterprises to improve awareness among users about cyber security topics. It’s all good stuff, but this recent update caught my attention as it’s very easily done in modern desktop software packages for email:

https://www.sans.org/security-awareness-training/resources/email-oops-and-how-avoid-them