This was a particularly interesting week with a couple of events worth being reviewed (and learned from): the launch of the more security-oriented Windows 11, the Facebook outage and, a new ransomware threat for VMware ESXI. I also included a short read on planning for Incidents Response. Here is my take from last week:
I’m starting with a positive one: Microsoft officially released the new Windows 11 and while I haven’t had the chance to put my hands on it yet, I’m pleased to see the default emphasis on security! The requirements list is unusually restrictive and that is due to the “secure by default” approach that demands more resources to operate smoothly. Only time will tell how appropriate the embedded security capabilities are, but they are pointed in the right direction.
Microsoft says the new hardware security requirements for Windows 11 are meant to create a foundation that’s more resilient against cyberattacks. This version of Windows requires hardware that enables additional protection such as Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity, and Secure Boot… Enabling security by default was a priority for Windows 11, says David Weston, Microsoft’s director of OS and enterprise security. Many of the Windows 11 baseline security features are available in Windows 10; the focus has been making them ready to be available by default. Source: https://www.darkreading.com/endpoint/windows-11-available-what-security-pros-should-know
Facebook was disconnected from the Internet for about 6 hours on Oct 4th. No, it was not a cyberattack, it as a faulty network configuration (BGP for connoisseurs). This is a reminder that security is not only about threats, it covers “availability” too (CIA triad – Confidentiality, Integrity and Availability of data/services). While you would expect to have the basics fixed in a large organization like FB, this can happen to anyone. Here is an interesting comment on Threatpost by John Bambenek, principal threat hunter at IT/security operations firm Netenrich:
The core protocols that make up the internet are getting a bit creaky at this point. Created in the 70s and 80s, they “were not designed with the scale of the Internet as it exists today. They also can be very susceptible to human error where small changes can create catastrophic outages, which we see every year or so. In some ways, this problem will get worse as these protocols are taken for granted, and those who helped develop and implement them are beginning to reach retirement age.” Source: https://threatpost.com/facebook-blames-outage-on-faulty-router-configuration/175322/
Virtualization presents many security benefits… as long the hypervisor is secure. This week a new ransomware written in python hit VMware ESXi infrastructures. Why is significant? ESXi is very widespread option for virtualization and by attacking the virtualization infrastructure, one gets access to (encrypting) many virtual machines.
The malware created a map of the drive, inventoried the VM names, and then powered each virtual machine off. Once they were all disabled, full database encryption began. OpenSSL was then weaponized to encrypt them all quickly by issuing a command to a log of each VM’s name on the hypervisor. Source: https://www.zdnet.com/article/new-python-ransomware-targets-virtual-machines-esxi-hypervisor-to-encrypt-disks/
I decided to also include a good “how-to resource” whenever possible. This one is on a favorite topic of mine: Planning for Incident Response. As a famous quote says: Failing to plan means planning for failure. Cybersecurity failures can be very expensive so you might want to prioritize planning (and preparation).
From ransomware threats to malware attacks, businesses across the globe are experiencing an overwhelming increase in cybersecurity breaches (Bogdan’s note: 20% over last year) that are both devastating and well-coordinated. Whether designed for individuals to click on compromising web pages or open infected email attachments, most cyberattacks today target human error.
In addition to the technology available to keep us safe, your organization also depends heavily on its people to make the right security decisions. To avoid having to go into emergency-recovery mode during an attack, corporations should methodically plan and prepare for cyber-incidents using the following incident-response checklist, for minimized damage and a swift recovery. Source: https://threatpost.com/incident-response-plan-security-disaster/175335/