March 22, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Patch All the Things!
Configuration is Everything
You have read past editions of this newsletter where I talk about the importance of proper configuration, especially in the cloud environment. One big incident in the news this past week is a glaring example:
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.
The report details three crucial mistakes that allowed this to happen:
(1) The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password.
(2) The victim account had been un-enrolled from Duo [MFA] due to a long period of inactivity but was not disabled in the Active Directory.
(3) As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.
Each of these mistakes is easily mitigated by standard security practices:
(1) Enforce password complexity policies.
(2) Disable inactive accounts.
(3) Change vendor-default configuration settings.
See how easy it can be to avoid a cyber incident? Basic Cyber Hygiene.
In case you thought they weren't serious
Last October, the Department of Justice announced its new Civil Cyber-Fraud Initiative to "leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls cybersecurity fraud." Last week, they settled their first case for $930,000 from Comprehensive Health Services (a government contractor) for allegedly failing to use a secure Electronic Medical Record system that they had installed to protect patient data. Say what you do, and do what you say.
Go forth and be secure! and have a great week.
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺