November 2, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Russian cyber criminal gang responsible for SolarWinds attack now focusing on IT vendors & managed service providers
Microsoft published a blog post last week, warning that the Russian group Nobelium, known for the SolarWinds attacks late last year, is now targeting ”resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”
We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. We began observing this latest campaign in May 2021.... Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.
So what steps should you, as an organization with cloud services maintained by a (potentially vulnerable) third party, do to protect yourself? In a separate technical post, Microsoft identifies the following three steps you should take to mitigate your risk.
(1) Review, audit, and minimize access privileges and delegated permissions. This is implementing the principle of “least privilege” – don’t give admin privileges to users or processes who don’t actually need admin privileges. Don’t work as an admin user on a regular basis; work as a standard user and log into an admin account only when completing tasks that require elevated privileges. Know who has admin accounts! Disable any old accounts, especially admin accounts. Routinely perform an audit of accounts.
(2) Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies. Well, I think you know how I feel about two-factor authentication (2FA) a/k/a multi-factor authentication (MFA). In my opinion, this is the single best way to protect online accounts.
(3) Review and audit logs and configurations. Log files are important because they tell you what has been happening. With proper monitoring and alerting, they can provide an early warning that your system has been compromised. Log files can also help identify configuration issues. A recent study by IBM found that two-thirds of cloud attacks could be stopped by checking configuration settings. The Cloud Security Alliance published a report on the Egregious Eleven top threats to cloud computing, with misconfiguration at the top of the list.
I want to emphasize a point that is implicit in these three steps, but is worth a closer look: a thorough audit of partner relationships and what access/privileges they have. Talk to your IT vendor or managed service provider about the services they provide for you and about their security protocols. Find out how diligently they manage employee permissions and credentials (especially when someone leaves). Are they following these three recommendations above for their own access to your systems and data? Remember the shared responsibility model of the cloud means that you cannot simply hand everything over to a vendor and assume that the best possible security is in place -- especially since cyber criminals are targeting these very organizations because they have access to so many systems other than their own.
Finally, I would add a fourth step to the list from Microsoft: (4) Identify additional security options for your cloud services and enable them. It’s very common for stronger security measures to be available but not implemented by default. Yes 2FA absolutely, but look at other options also. For example, it may be possible to limit access to your cloud services only to the external IP address of your network. It may be possible to receive an alert if someone logs in after normal business hours, or from an IP address in a foreign country. You don’t know what’s available unless you ask!
And we’ll call that a wrap for this week.
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺