Thursday, March 12, 2020

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!
https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html

Microsoft today finally released software updates to patch a recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically. The vulnerability, tracked as CVE-2020-0796, in question is a remote code execution flaw that affects Windows 10 version 1903 and 1909,

Is the cybersecurity skills gap real?

Is the cybersecurity skills gap real?
https://cybersecurity.att.com/blogs/security-essentials/is-the-cybersecurity-skills-gap-real

An independent guest blogger wrote this blog.

If you do a web search for "cybersecurity skills gap," you'll get many, many pages of results. It's certainly a hot topic in our industry. And it's a matter that security practitioners and human resources people often disagree on.

But before I get further into the matter, it would help to know what it is we're talking about when we use the phrase "cybersecurity skills gap."

From the perspective of employers, it means that potential job applicants don't have the specific cybersecurity skills they're looking for, and possibly the people they already employ don't have the skills to be promoted into new cybersecurity related positions. This can be a really tricky area, because computer technology evolves very quickly, and often universities, colleges, and vocational schools cannot change their curriculum at the same speed. Accordingly, the cyber threat landscape can change quickly too!

From the perspective of many job seekers and security people, including myself and many of my colleagues I've spoken with, the phrase "cybersecurity skills gap" can sound like a taunt. Some of us have spent years in computer science programs, and many more years in IT courses and acquiring industry specific certifications. So we don't have a particular niche certification or ten years experience with Windows Server 2016. We have loads of related knowhow, and we match many of the other job requirements, why won't employers give us a chance and let us learn the rest? A few others have had a knack for computing since childhood, but the expense of college tuition and certification exams can seem insurmountable when you're just starting out and have little money. How do we get our foot in the door in the first place when you need experience for a job, but you can't get experience until you get a job?

The cybersecurity skills gap phenomenon can hurt people in the industry who want good jobs, but it hurts companies and the security of their networks even more. According to the 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that's passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches.

I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap.

Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements.

"If your entry level job in infosec requires:

A masters

At least 3 certs

Prefers two years of experience.

YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES

Additionally the discouragement students have when they hear that should make you feel bad about yourselves."

I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it'd overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from her.

She recognizes many factors in the skills gap problem, ranging from unrealistic job posting requirements ("Must have a CISSP, a Master's in Computer Science, and ten years experience with Metasploit Framework 5.0. An entry level role, salary $40,000 per year."), to interviewers' prejudice against body piercings and tattoos (of which I have many). But I wondered if a corporate reluctance to spend time and money on training may be a factor too.

She said, "I absolutely think companies are reluctant to invest in training people and it definitely is a contributing factor to the skills gap. Over the last few decades, budgets for training have been one of those easily leveraged pools of money that takes an early hit when cost cutting is needed. Additionally, some organizations seem to be afraid that if they pay to train their people, those people will be worth more in the open market and will leave the company, nullifying their investment.  What they fail to see is that by investing in those people and showing that they value them, that actually encourages them to stay."

I hope an HR manager is reading this! Ping-pong tables may be nice, but providing your employees with specific training so they can take on roles with greater responsibility within your organization is much nicer.

Interviewers also need to broaden their idea of what a good security practitioner looks like. They could physically look like anyone! They could be a 40 year old white man in a Brooks Brothers suit, but they could also be a 20 year old multiracial woman in a wheelchair with purple hair and a wardrobe from Hot Topic. Conversely, you shouldn't be afraid to hire a 60 year old either. I asked Miller about a term frequently used in HR, "culture fit."

"There's a lot of bias in the hiring process and yes culture fit is one of them. Security and tech in general, thrive on diversity. More than that, we need it to truly advance and be better. Diversity of thoughts, experiences, ideas, backgrounds, it all helps create better technology and better solutions to problems. Culture fit is a term that gets overused and misapplied. As you pointed out, hiring managers who don't really understand how to develop culture or who are not well trained in evaluating talent will often default to finding someone who's like the people we have today and term it culture fit."

We'd like to have a positive impact on companies that hire cybersecurity people. So Miller has some advice for you.

"(My advice) first is investing in your people as we discussed, but not just the security team. Develop clear skills development plans that allow resources to transition from other non-security or even non-IT roles into security and then enable those plans. Second, you have to actively work to eliminate biases in your hiring. Not just along the lines of things like ethnicity, gender, and so forth, but things like appearance, experience, and so on. Be willing to hire the person with purple hair or a full sleeve tattoo. Artificially limiting your pool based on foolish criteria is always a bad idea. Finally, embrace remote working. I can't believe in 2020 we're still having this conversation but I'm amazed how many roles I see that still require a local in-office resource when the technology exists for people to do that job from a remote location. I've heard from hiring managers who are still afraid of how to manage remote people so they just don't allow it.  That's wrong on so many levels."

I honestly believe that a lot of companies really do want to do something to help close the skills gap and improve the cybersecurity of their organizations by hiring more people. Millions of unfilled cybersecurity job roles hurts everyone involved-- people in the industry, people looking to get into the industry, businesses of all sizes in all industries, and everyone's security as a whole. Fortunately, this is a solvable problem. But it will take a lot of team work and a lot of mind opening.

But that's just my opinion and the opinion of many others in our industry.


Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws
https://thehackernews.com/2020/03/microsoft-patch-tuesday-march-2020.html

Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company's history. Of the 115 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, Exchange Server, Office, Azure, Windows

LVI Attacks: New Intel CPU Vulnerability Puts Data Centers At Risk

LVI Attacks: New Intel CPU Vulnerability Puts Data Centers At Risk
https://thehackernews.com/2020/03/intel-load-value-injection.html

It appears there is no end in sight to the hardware level security vulnerabilities in Intel processors, as well as to the endless 'performance killing' patches that resolve them. Modern Intel CPUs have now been found vulnerable to a new attack that involves reversely exploiting Meltdown-type data leak vulnerabilities to bypass existing defenses, two separate teams of researchers told The

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed
https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html

Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol. It appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only,

Beware of 'Coronavirus Maps' – It's a malware infecting PCs to steal passwords

Beware of 'Coronavirus Maps' – It's a malware infecting PCs to steal passwords
https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html

Cybercriminals will stop at nothing to exploit every chance to prey on internet users. Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks. Reason Cybersecurity recently released a threat analysis report detailing a new attack that takes advantage of internet users'

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide
https://thehackernews.com/2020/03/necurs-botnet-takedown.html

Microsoft today announced that it has successfully disrupted the botnet network of the Necurs malware, which has infected more than 9 million computers globally, and also hijacked the majority of its infrastructure. The latest botnet takedown was the result of a coordinated operation involving international police and private tech companies across 35 countries. The operation was conducted

LogRhythm Labs: Cybersecurity Expertise Delivered into Your LogRhythm Deployment

LogRhythm Labs: Cybersecurity Expertise Delivered into Your LogRhythm Deployment
https://logrhythm.com/logrhythm-labs-cybersecurity-expertise-delivered-to-your-deployment/

What is LogRhythm Labs?

LogRhythm Labs is the team that researches and creates the content that goes into the LogRhythm NextGen SIEM Platform. The team mission is to:

Research and deliver world-class security, compliance, intelligence, and operational risk content to protect our customers from damaging cyberthreats, meet their compliance needs, and reduce their operational risk.

Labs, therefore, exists to provide the threat, compliance, and operational content that enables the LogRhythm platform to provide out-of-the-box value and usability to our customers.

Labs content is delivered within discreet modules consisting of analytics rules, reports, searches, and dashboards. Additional content may also include automation via our SOAR offering, RespondX, or automated lookup via Web Contextualisation.

Content is regularly added, actively maintained, and released as part of our weekly Knowledge Base update directly into the platform. Customers can use as much or as little of the content as they like, and we include the ability to clone the provided content for bespoke requirements.

Labs consists of three focused teams: Compliance Research, Threat Research, and Strategic Integrations. I'll explain these in more detail below.

Compliance Research

LogRhythm employs a team of subject matter experts in the compliance space. And when it comes to compliance, change seems to be the only constant. New regulations are released, existing regulations change over time, and our customers rely on LogRhythm to help them comply with complex regulatory frameworks and standards.

LogRhythm delivers compliance content in support of numerous regulatory frameworks, including NIST, HIPAA, ISO27001, GDPR, and PCI, as well as many other regulatory frameworks from the United States, Europe, the Middle East, and the Asia Pacific regions.

The Compliance Research team has also developed the Consolidated Compliance Framework. This is a unique offering designed to offer greater efficiency, and to reduce management and analyst overhead to customers needing to demonstrate compliance with multiple mandates or regulations.

When amendments are enacted to any of the supported regulations, we develop the necessary updates to the compliance module's library of report packages, investigations, rules, and alerts that are specifically mapped to individual controls as specified by the relevant regulations.

Threat Research

LogRhythm's Threat Research team continuously researches the latest trends in cyberthreats. Cyberthreats are constantly evolving, and the methods used in a malicious attempt change over time. Furthermore, as new technology (e.g., mobile devices, sensors, and internet of things, or IoT) is released by vendors, threat actors begin to look for methods and techniques to compromise those devices immediately.

The Threat Research team develops and maintains content aligned with the threat landscape as it evolves, considering the latest tactics and techniques that attackers are leveraging. The team leverages original research, threat intelligence, and other industry resources, as well as their own wide experience to deliver effective threat detection capabilities.

Skilled cybersecurity resources are at a premium, and it's beyond the reach of most organizations to build and resource their own threat research unit. Threat Research does the research and content development that provides all of our customers with wide and deep threat detection capability right out of the box, providing enormous added value beyond a simple software platform. Even those organizations that are resourced for their own threat research can get a significant boost to the efficacy of their operations by using our prebuilt content for their core requirements, and as a powerful basis for further development.

The team maintains our User and Entity Behavior module, as well as our Network Detection and Response module. During 2019 a brand-new module aligned to the MITRE ATT&CK framework was also released. Because ATT&CK is so comprehensive and constantly growing, we have adopted an Agile release methodology to enable iterative updates, thus allowing new content to be continually delivered to our customer base. This approach will also enable us to release content supporting the additional frameworks MITRE has launched aligned with Cloud and ICS.

Strategic Integrations

Our Strategic Integrations team is comprised of subject matter experts in integration and operational technology. This teams' research spans a wide range of verticals, including healthcare, transport, energy, manufacturing and more. This research encompasses ICS, OT, sensors and medical devices, in addition to the operational systems used in the relevant industry vertical (for example electronic health record systems, human resource management systems, etc). The goal is to reduce risk and pre-emptively identify risk as it affects the operations of a business.

This team delivers content that can assist in reducing operational risk, gaining insight into OT, IoT, and IIoT device activities, promoting good IT hygiene, and integrating specialist device types into the LogRhythm ecosystem. As you can imagine, this is a busy and constantly changing environment as digital transformation affects every aspect of life, and more and more devices interact with our physical as well as digital lives.

What Content Did Labs Release in 2019?

  • Threat
  • Compliance
    • Extensive Revisions to Consolidated Compliance Framework (CCF)
    • Criminal Justice Information Service Module
    • ISO 27001 Module
    • Australian Signal Directorate Module
  • Strategic Integrations
    • IT Operations Module
    • Physical Security Integrations (three releases)

What Content is Available in the LogRhythm NextGen SIEM Platform?

Compliance Modules:

ASD, NY DFS, CJIS, ISO 27001, UAE-NESA, PCI-DSS, MAS-TRMG, NIST, NERC CIP, GDPR, SOX, NEI, 201 CMR 17, NRC, HIPAA, GPG-13, DoDI 8500.2, FISMA, SOX COSO, GLBA, NIST CSF, NIST 800-53, CIS CSC

Threat Modules:

Core Threat Detection, UEBA, NDR, MITRE ATT&CK, Retail Cybercrime, Threat Feed integrations

Strategic Integrations:

IT Operations, Epic, Healthcare Security, Financial Fraud Detection

Embedded Expert Content Delivered Straight to Your Deployment

The LogRhythm Labs team works tirelessly to research and deliver new content into the LogRhythm NextGen SIEM Platform so your team can:

  • Get immediate value from your deployment
  • Easily keep up with the changing threat landscape and digital transformation
  • Reduce the reliance on in-house research expertise

The Labs team is your partner in making sure you have content and resources that you need to be successful and get value from your LogRhythm investment — and all of this content comes at no extra cost to you.

Find documentation around all of our modules on the LogRhythm Community under Documentation and Downloads: https://community.logrhythm.com

2020 ATT&CK Roadmap

2020 ATT&CK Roadmap
https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba?source=rss----6da19bd08fba---4

Taking a look back at 2019 and presenting a 2020 roadmap for ATT&CK

Written by Blake Strom and Amy Robertson

We started 2019 with a bold series of goals, and with the help of the MITRE ATT&CK® community and hard work from our team, we've accomplished many of those and more.

With your input, we developed and published the Impact tactic to address integrity and availability attacks against enterprise systems. We reworked how mitigations are represented in ATT&CK to make the information easier to use. The (ongoing) Sightings pilot was launched to collect contributions on raw sightings of ATT&CK techniques, and we kicked-off the second round of ATT&CK Evaluations with a new actor and a new approach leveraging contributions. The "Getting Started with ATT&CK" series was unveiled, and we're looking forward to sharing more use cases in the coming months. We released ATT&CK for Cloud, a needed expansion to ATT&CK that wouldn't have been possible without significant community contributions. Our work on restructuring ATT&CK with the sub-techniques continued through feedback from the community, and we're targeting a release in the upcoming months. You told us that ATT&CKcon 2.0 was a success, and the Threat Report ATT&CK Mapper (TRAM) enjoyed a beta release. Finally, we started an ATT&CK training series which kicked off with the release of our ATT&CK for Cyber Threat Intelligence (CTI) training.

To our ATT&CK community, we're grateful for your passion, support and involvement and we're excited about a new decade of collaboration. Our team has been working towards some significant adjustments to ATT&CK in 2020, including a few new additions and several modifications that have been percolating for a while. We look forward to connecting with you as we forge ahead with our 2020 Roadmap.

Members of the ATT&CK Team at ATT&CKcon 2.0

Restructuring, Refinement and Revamping

We have a lot planned for Enterprise ATT&CK in 2020. We'll be restructuring the framework with sub-techniques, revamping ATT&CK's data sources, and refining Mobile, PRE-ATT&CK, Cloud, and ICS. We'll also be publishing a new extension of ATT&CK to cover behavior against network devices such as routers. Throughout all these updates and adjustments, we welcome your feedback. Our goal is to ensure that ATT&CK continues to be a valuable resource, and if an adjustment undermines usability, or if there are ways to enhance your overall experience, we want to know.

The sub-techniques journey is nearly complete — we're targeting a soft launch in March and you can read about the latest details here. We've been working to minimize the impact of the associated realignment and have addressed many of the concerns that you raised. To simplify the transition, we're refining a crosswalk from old technique IDs to new ones, or mapping newly broken out sub-techniques to higher level techniques.

The sub-techniques will be published on a companion site alongside the main ATT&CK site, clearly charting out the changes. This companion site will give everyone a few months to preview and process the full scope of the changes before we finalize that version and make it official. The old site will then be added to the previous versions for reference. Once we release the new ATT&CK framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments.

We're also nearly finished revamping the data sources used for Enterprise techniques and we're excited about the enhancements. Data sources are one of the most critical aspects of ATT&CK, and we'll be sharing some additional details in the coming weeks about our new methodology to define sources. The details won't be ready to be included in the sub-technique update, but we will be posting the new data sources definitions and details to GitHub to get them out faster. The updated data sources model will be implemented into the site after the sub-techniques are published.

On the ATT&CK for Cloud front, we've been working towards refining it into sub-techniques and getting new contributors on board to help us expand. ATT&CK for Cloud was built around nearly 100% community contributions for techniques, and we'll continue to leverage this expertise to add enhance the model. Our goal is to jump back into expanding Cloud with new techniques after sub-techniques is released and publish the second set of techniques in the fall.

The adversary behavior model for Network Infrastructure Devices is being developed with routers, switches, and firewalls in mind. We've been leveraging open source reporting and have coordinated closely with industry. The Network research will ultimately impact the current ATT&CK structure with a new platform, but we are developing it with sub-techniques in mind. We're targeting an initial release of our research in the fall and will use the contributor process you're already familiar with to keep it updated.

We're still working to improve consistency and integration between PRE-ATT&CK, Mobile ATT&CK, and Enterprise ATT&CK and are moving towards an eventual "One ATT&CK" model. This will include refining ATT&CK based on the changing threat landscape for enterprise systems focusing on Windows, Mac, and Linux. The technical content in PRE-ATT&CK will be brought up to the same level of ATT&CK for Enterprise and will be integrated into ATT&CK with two new tactics. Our goal with this revamp is to better prepare users to identify who to defend against and the applicable defensive options. The team will continue to refine the Mobile ATT&CK model focusing on Android and iOS, with the addition of sub-techniques and upgraded data sources. We plan to assess merging the Mobile and Enterprise ATT&CK models later in the year.

In the same vein, we're moving forward with our research and refinement of ATT&CK for ICS techniques. ATT&CK for ICS is a community-driven project, and we'll maintain this close collaboration with stakeholders to hone the knowledge base. All the technique adjustments and releases will be based on your input and any new threat reporting on incidents. The separate ATT&CK for ICS wiki that was published in January 2020 will allow the ICS knowledge base to mature separately from the rest of ATT&CK, allowing for more rapid updates. We also plan on evaluating if merging ATT&CK for ICS with the main ATT&CK knowledge base makes sense towards the end of the year, including translating the information into STIX and integrating it into the main ATT&CK website and tools like the ATT&CK Navigator. We'd appreciate your involvement on this approach, and we look forward to hearing about what you think as we move forward.

Mapping, Developing, and Sightings

On the mapping automation front, we're moving full speed ahead. The Threat Report ATT&CK Mapper (TRAM) was beta released in December, and we'll continue developing it this year. TRAM is currently a functional prototype and we plan on improving the interface, adding some new features, and enhancing overall functionality throughout the year. Some of our targeted updates include the ability to ingest additional file types, more output formats, and supporting multiple users simultaneously. As we add and update these features, we'll announce the changes and keep our public repository current. We're looking forward to hearing about your experience with TRAM as we move towards more feature implementations.

TRAM's Workflow

Our team has also been working to map ATT&CK to NIST 800.53 v4. Mapping ATT&CK to common control frameworks will better support efforts to identify controls that mitigate relevant threats, and identify capability gaps. We'll be collaborating with CIS on their current model that maps CIS controls to ATT&CK to expand the mappings into other frameworks. We hope to share more details on the model and where it'll be featured soon. Our current prototype for NIST 800.53 will be published to the ATT&CK GitHub and we'd like your involvement in maintaining and updating it. Our goal is to provide a flexible mapping structure that evolves with the environment, and is user-friendly. If you've already started a mapping, or have some ideas about what types of mappings would be most valuable, reach out and let us know.

Cyber Analytics Repository (CAR) will be updated this year with new analytics. We'll be developing analytics internally, working through external contributions, and adding implementations for new and existing analytics. We'll also be updating how we capture ATT&CK coverage for better accuracy and compatibility with sub-techniques. We're planning updates to CAR sensors to better reflect the current product landscape, and data model revisions showcasing modern sensor data, which will directly support the creation of analytics against the data. We're also hoping to update the CAR Exploration Tool (CARET) to improve UI, usability, and to take advantage of the other structural changes to ATT&CK.

We launched our ATT&CK Sightings pilot in 2019 to empower defenders globally by providing them with continuous information about what ATT&CK techniques adversaries are using and how they're using them. The Sightings program will do this by collecting anonymous contributions of observations of ATT&CK techniques in the wild from numerous, diverse sources and then publishing insights based on that data.

The pilot is ongoing, and we've set a deadline of April 30 to get commitments and pilot data sets from the initial cohort of contributors. We're actively working with contributors to overcome barriers and provide value back. This program is community-driven and can't be successful without your help. You can read our recent Sightings update for more information about how you can contribute and what's next for the Sightings pilot.

Finally, ATT&CK Evaluations will be conducting a new round under a new format emulating the Carbanak and FIN7 groups. MITRE-Engenuity will assume the reins moving forward, and continue to advance ATT&CK Evaluations. You can find more details about the Carbanak+FIN7 Evaluation here.

We will be hosting a new type of event May 18–20 to bring US government organizations together to discuss how they use ATT&CK and how they've overcome challenges. The call for presentations is open through March and you can find out more here.

We also know there's a lot of interest in the next ATT&CKcon. We're working through initial planning right now and we'll have more details to share in April.

ATT&CKing the Next Decade

The future of ATT&CK depends on community engagement as much as it does where adversaries go next. ATT&CK's success hinges on our partnership with the community and our collective ability to innovate and share knowledge. With you, as the community, serving as advisors, collaborators and champions, ATT&CK will be more impactful than ever.

We'll continue to leverage your input at every stage, including how to evolve ATT&CK. We're excited about how ATT&CK will advance in 2020, but we're even more energized by where we see ATT&CK going in the next few years.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–00696–24.


2020 ATT&CK Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Wednesday, February 19, 2020

Why vendor management is a cornerstone of security

https://cybersecurity.att.com/blogs/security-essentials/why-vendor-management-is-a-cornerstone-of-security


When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organizations focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Organizations end up trusting the security of their network and data to an unknown and untested third-party.

As we all know, a chain is only as strong as its weakest link. If an organization cannot verify the security of its third-parties, then it has introduced the potential for risk and reduced the information assurance of their system. It is essential to realize that even if the cause of a breach is due to a third-party, it is still your company's name and brand that is at risk.

The potential cost associated with a breach can include:

  • Fines
  • Loss of trust
  • Brand damage
  • Data loss

What damage can vendors do? 

Despite the warning above, you may still be thinking, "what damage could my vendors really do?". The answer to that question will vary based on the access, control, and data you provide to them. For example, if your office caterer was breached the overall risk to the organization is easily contained by simply canceling whatever card you offered them.

On the other hand, if you have a third-party accountant or lawyer you could be exposed to much more damage. In this example, you would be releasing highly private and potentially valuable data into unknown systems, with unknown controls and unknown users. This line of thinking can apply to any organization and any vendor, regardless of size or industry, and can help you identify where to focus your efforts.

Any vendor that has access to your systems or data is inherently a risk to your company. Every threat or vulnerability you face, your vendors will also face. Are you confident they take these threats as seriously as you do? Or are they even aware of them?

Regardless of how confident you may feel, I highly recommend you continue reading! The rest of this article is dedicated to providing tips and advice for building a program to assess, vet, and remediate risks related to your third parties.

What can you do?

Now that you understand the risks vendors pose to your organization, you need to determine what you can do to help to reduce them. There are a few steps any organization can take to develop a more robust stance on vendor management. It must be noted that to build a truly effective and mature program you must be willing to dedicate the time and resources to do it right. I have broken out the necessary steps below and have provided advice for what these steps should cover.

A vendor management program should have, at a minimum, the following components:

Policy – A vendor management policy should cover the purpose behind assessing vendors, staff responsibilities, communication channels, and other core components of the overarching program.

Procedures – Along with the policy, your organization will need several defined procedures to implement and manage the vendor management program effectively. These procedures can include:

  • Assessment outlines/workflows
  • Documentation management
  • Evidence requirements

The processes you create should be relevant to the size and scope of your program and must fit your general operations.

Rankings – To provide that resources are used effectively, you must come up with a ranking system to classify your vendors. While there is no 'right' answer to ranking vendors, a few metrics you can use to determine criticality are:

  • Sensitivity of data they receive
  • Volume of data they receive
  • Importance of service they provide

These can be used by themselves or combined to form a more robust ranking system. There are other ways to rank vendors, and you should make sure to pick the metrics that best fit your organization.

Escalation Points – As part of the policies and procedures supporting this program, there should be defined staff who serve as escalation points for any issues or security concerns. These staff should be senior members of the organization or those with authority to make decisions. This is a necessary component of any program because, unfortunately, not all vendors will be willing to remediate gaps, or even undergo an assessment. In these cases, it is up to the assigned staff members to determine the best course of action.

Contract Requirements – Make sure to have standardized contracts with your vendors that include things like service level agreements (SLAs) to provide that your vendors are actually obligated to provide the services you buy from them. Without an SLA you have little recourse if your vendor suffers long-term outages, or otherwise fails to deliver the promised service(s).

Internally, these requirements should be monitored by the specific teams or employees that work with these vendors regularly. The staff using the system or working with the vendor will be in the best place to notice abnormalities or contractual failings.

Conclusion

Vendor management is a complex and time-intensive task which many organizations do not, and in many cases, cannot dedicate the time and resources to managing. For companies with a small number of vendors, this can be manageable, but most organizations will need additional support to create and implement these programs effectively. By dedicating resources to developing a program, organizations can begin to understand and eliminate the threats posed by their third-parties.

For those organizations that do not have the resources to establish or maintain this type of program, AT&T Cybersecurity Consulting offers numerous solutions to help create, implement, and manage vendor management programs of any size.

For further information please visit https://cybersecurity.att.com.


OPNsense 20.1.1 released

https://opnsense.org/opnsense-20-1-1-released/


Hello, hello!

A tiny update to keep everyone happy.

Here are the full patch notes:

o system: increase size of user SSH key input box
o system: fix faulty PPP log link in the menu
o system: fix a PHP warning on the general settings page
o interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
o firewall: fix rule statistics display for rules using tagging
o reporting: fix missing separator in NetFlow configuration
o firmware: add Quantum mirror in Hungary
o openvpn: fix ifconfig-ipv6-push format
o plugins: os-dnscrypt-proxy 1.7[1]
o plugins: os-net-snmp 1.4[2]
o plugins: os-nginx 1.18[3]
o plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
o ports: lighttpd 1.4.55[4]
o ports: openldap 2.4.49[5]
o ports: pkg libfetch security fix[6]
o ports: sudo 1.8.31[7]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.lighttpd.net/2020/1/31/1.4.55/
[5] https://www.openldap.org/software/release/changes.html
[6] https://github.com/freebsd/freebsd-ports/commit/eec0b5c
[7] https://www.sudo.ws/stable.html#1.8.31

Het bericht OPNsense 20.1.1 releasedverscheen eerst op OPNsense® is a true open source firewall and more.

Wednesday, February 12, 2020

OPNsense 20.1 “Keen Kingfisher” released

https://opnsense.org/opnsense-20-1-keen-kingfisher-released/

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/20.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.7:

o Captive portal performance improvements
o IPsec public key authentication support
o Elliptic curve TLS certificate creation
o CARP service demotion hook
o VXLAN device support
o Loopback device support
o Extended firmware health audit checks
o Support direction and non-quick on interface rules
o Logging frontend migrated to MVC / API
o PSR 12 coding style
o Documentation for all core components
o Python 3.7 is now the default Python version
o LibreSSL 3.0 and OpenSSL 1.1.1
o Google Backup API 2.4
o jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

o installer: welcome users as genuine 20.1 installer
o rc: revert growfs change since Nano does not grow anymore
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.2
o ports: curl 7.68.0[5]
o ports: isc-dhcp 4.4.2[6]
o ports: php 7.2.27[7]
o ports: urllib3 1.27.7[8]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o To prevent stale configuration files for remote syslog we advise to setup the new targets first[9] and disable the old ones under System: Settings: Logging
o i386 has not been deprecated for the time being 

The public key for the 20.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
/A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
+NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1671
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[5] https://curl.haxx.se/changes.html
[6] https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES
[7] https://www.php.net/ChangeLog-7.php#7.2.27
[8] https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11
[9] https://docs.opnsense.org/manual/settingsmenu.html#logging-targets

SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64

Het bericht OPNsense 20.1 "Keen Kingfisher" released verscheen eerst op OPNsense® is a true open source firewall and more.