Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 26th 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs will be here to discuss recent headlines. That includes looking at recommendations from the Network Resilience Coalition on how hardware and software manufacturers can help beef up the security of IT networks, a U.K. report predicting the impact artificial intelligence will have on cyber threats, a Canadian hospital’s response to a ransomware attack and Microsoft’s admission about a hacking incident.
But before we get to the discussion a quick review of other news from the past seven days:
Another tech company has admitted to being hit by a Russian threat actor. Hewlett Packard Enterprise says a group dubbed Midnight Blizzard by some researchers, and Cozy Bear by others, was able to access the company’s cloud-based email system last year. The attack started last May but HPE was notified only in December. The attack on the email system is likely related to the theft of company SharePoint files. This attack has similarities to the Microsoft attack that Terry and I will talk about later.
Cybersecurity researcher Bob Dyachenko, who specializes in finding unsecured databases on the internet, has scored a big one. According to Cybernews, he recently found a cache of 26 billion records with over 3,800 folders. Each folder corresponded to a data breach, with information including login credentials collected from LinkedIn, Twitter, Weibo, Tencent and other platforms. They include previously stolen data that researchers know about as well as privately sold databases. It isn’t known who the cache belongs to.
Separately the staff at Cybernews say they discovered a database late last year with millions of corporate chat messages belonging to an American IT services provider. It isn’t known if threat actors also came across this database.
Hundreds of GitLab instances in the U.S. and thousands of others around the world still haven’t been patched to close a vulnerability. That’s according to a tweet from the Shadowserver Foundation. The patch was released two weeks ago for those running their own instances of GitLab.
More on patching: Jenkins has discovered a critical vulnerability in its automation server. The problem is in a library that allows the parsing of command arguments. An attacker leveraging the hole could read files on the Jenkins controller file system. Install a security update fast.
Finally, hackers are taking advantage of unpatched versions of Apache ActiveMQ servers. That’s according to researchers at Trustwave. Administrators were warned last October to upgrade their servers when the vulnerability was discovered.
(The following transcript covers the first part of the conversation. To hear the full discussion play the podcast)
Howard: We’ll start with the report from the Network Resilience Coalition, a group of hardware and software manufacturers and corporate buyers who want to strengthen the security of the backbone of IT networks — routers, switches, firewalls, gateways. One of the big concerns is that some network administrators aren’t patching vulnerabilities fast enough. In fact some aren’t patching at all because they can’t afford network downtime. So the coalition recommends manufacturers separate security patches from security feature updates. Second, manufacturers should make it clear how long products will be supported so IT departments know when they are end of life. Third manufacturers should build their software better with more security. As for buyers, the coalition says they should give preference to products that are built better and make sure products are using the best security configurations.
What did you think when you read the recommendations? Are they achievable, and if so, how long will it take to have a meaningful impact?
Terry Cutler: Security patches are often delayed because they’re bundled with security updates, which will require more extensive testing. So by separating them network administrators can quickly apply the critical security patches without worrying about the potential instability of other things that are produced — like, for example, new security features. But this is going to require a change in the software development and release strategy from manufacturers. So focusing more on a modular, independent type of update system. But this is to have a real impact on short-term and long-term timelines. Once it’s implemented the benefits will be ‘Hey, we’ll have faster and more focused security updates.’ But at the same time you know manufacturers have to also adjust their development processes and we’re going to need better clarity on product support lifespans. Knowing the end-of-life timeline of a product is going to be critical for IT planning, but it also allows better budgeting and risk management, especially in terms of security vulnerabilities that won’t be patched after a certain date.
Software developers are [also] going to need to improve their security from the ground up. Here’s a real story: We’re actually training folks who are seasoned developers in healthcare who don’t even know what Nmap is. [For those who don’t know, it’s a network scanner for discovering hosts and services] Because of that they don’t know how to find flaws in their own application. So by building software stronger, focus on security is going to be essential in today’s landscape — especially with today’s cyber threats. This is going to include better security coding practices, rigorous testing and of course a commitment to ongoing security assessments.
Going back to your last point about encouraging buyers to prioritize security products in their purchasing decisions, that’s very powerful. But one of the problems is they’re not subject matter experts. So they don’t necessarily know what they’re buying.
Here’s another real situation that we just ran into recently: We went to assess a retail company and one of the things they asked me to do while I was there was to assess what an MSP [managed service provider] was selling them. I look it over and it’s merely a simple upgrade. ‘You’re gonna need a new firewall, here’s some managed switches and new access points,’ [the MSP said]. So I asked them what are you doing for endpoint protection network security and cloud security? They had nothing. The MSP was able to convince management that all they needed to do was buy these upgrades and the customer would be totally safe. So they did. I couldn’t believe they went for it.
Howard: At a press conference accompanying the release of the report an official from Cisco Systems said it may be hard to separate security updates from new features. His worry is that what may happen is two departments with identical equipment from a manufacturer will end up having different networks — one with a new feature, one without and that could screw up patches that are being released by vendors. Is this a ah realistic worry?
Terry: He’s right, because this could lead to product development problems. There could be features that are intertwined with new security updates and now all of that would break. So now the vendor would be developing and managing two separate products that now have to interlink with each other if a client has a basic version or has to upgrade to the new full version. It doesn’t make sense. Think about this for a second: Each new security feature potentially requires testing for compatibility and integration and that’s going to add layers of complexity to the patch management process [of the customer]. If the primary goal is to separate patching from the security updates this will definitely lead to extensive testing and a lot of things are going to break. This can lead to a tradeoff where uniformity and predictability of the network environments could be compromised, impacting the efficiency and effectiveness of IT operations.
We’re going to need to look at a balanced approach where manufacturers will offer the option to separate security patches [from features] but also provide guidance on how to manage these security features in a way that can minimize disruption.
As someone who’s worked for a large software company this is just going to add so much more development complexity it’s going to put a real strain on both the software developers and the IT staff, who will be trying to figure out what broke once an update gets applied.
Howard: Well, there’s there’s pressure on manufacturers to to ship shiny new buttons — ‘Look at what we’ve added to version 8.2.3!!’ — to compete with a competitor who announced a new feature. That can lead to shoddy development. Now, one of the report’s recommendations is that manufacturers adhere to the NIST Secure Software Development Framework is aimed at blunting that, but are vendors going to be able to resist shipping code fast with added features to compete with competitors?
Terry: It really comes down to two things: Innovation and marketing. If you have a really great product but no one’s heard of you it’s not going to work, and if you have a really crappy product and you’re really great at marketing your product reviews are really going to go down. So there needs to be a balance. As you know, when we start shipping products that haven’t been properly tested or coded properly it’s going to lead to really inadequate testing and really bad application development, especially on the security side. But the following Framework manufacturers can at least build more secure software and it’ll help reduce the risk of vulnerabilities that will be exploited.
Howard: And will IT buyers put security ahead of price when they’re buying network equipment?
Terry: I don’t think things are going to change because IT buyers are not subject matter experts. They’re going to require more education. The more we educate and update IT buyers about the potential costs and impacts of security breaches the more I think they’re going to prioritize security in their purchasing decisions. And I think that the reputation of network equipment vendors are also going to matter. They want to know, ‘Are you in the Gartner Magic Quadrant? Are you on television? Are you doing all these things?’ Those external things are going to sway the IT buyers.