Jan 16 2020
Windows 10 Hole So Bad Feds Order Agencies to Patch – Then Prove They Did
The good news: CoreView has the answer
This week the US federal government warned a new Windows 10 vulnerability is such a threat, that agencies and employees MUST patch it ASAP, and just days later file a detailed report proving they did so. To learn more about patch reporting and dealing with attacks, you can try CoreView for free.
The hole is of great concern to the feds because of the sophisticated and growing threat of state-sponsored cybercriminals always after confidential and classified government data.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” the Cyber Security and Infrastructure Security Agency (CISA) said in an emergency directive.
CISA ordered agencies to patch all relevant systems by January 29, and ensure all new and reconnected devices repaired. Any endpoints not fixed should be yanked from the network until updated.
You Must Report
The issue is so serious that all federal enterprise must provide detailed patch reports. By Friday January 17, an initial status report must be filed including “information related to the agency’s current status and projected completion dates, and, if necessary, identified constraints, support needs, and observed challenges,” CISA demanded.
By January 29, all systems must be patched and a full report filed. “Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the January 2020 Security Updates patch has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected endpoints will be patched as required by this directive prior to network connection,” CISA mandated.
Federal Advice Makes Sense for All
While this advice is aimed at federal enterprises, all shops that care about security should take heed. This vulnerability is guaranteed to be broadly hacked, and hacked soon due to the widespread publicity, value of the targets, and the nature of vulnerability hacking.
Newly crafted remote execution attacks against this vulnerability, likely spread by email containing malicious links, could bypass even the best anti-virus/anti-malware tools. “The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection,” CISA detailed. ”The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”
The Patch is a Blueprint for Criminals
Many cybercriminals take the path of least resistance, and patches are an easy route to invasion. Simply put, the patch details the vulnerability. Hackers reverse engineer the hole, and devise a way in. Then existing exploits are simply thrown against the hole. Cybercriminals know these exploits will not work for everyone, as those who patch are safe. However, a frightenly large portion of users do not patch, even with advances such as Windows Software Update. Most successful hacks, indeed, are against unpatched systems.
Admins Major Source of Concern
CISA advises agencies to take particular care in patching machines of those with admin privileges, as cracking these accounts gives criminals broad and deep access to critical data — information dangerous in the hands of cyber criminals and state-sponsored hacking groups.
5 Steps To Take To Thwart This (And Other) Attacks
1. Block Breaches CoreView Style
The best defense is stopping breaches before they happen. From a prevention standpoint, For instance, CoreView has a global suspicious sign-in attempt map showing not only what IP address hackers were attacking from and failed, but also what accounts they went after. It also shows if the configuration included multi-factor authentication or not, and whether or not conditional access policies were effective for a specific attempt. Finally, it details the end-result of the sign-in attempt.
2. Minimize Breach Damage
Breaches sometimes bust through the best barriers. Most IT shops discover the incursion months or even over a year after it happened. How then do you figure out how and why it happened – or stop its spread?
The answer is forensics that rely on long-term log data quality and retention so you can perform a proper security audit. Here you discover what happened so you can minimize ongoing damage, and by finding the source, stop it from happening again.
This point speaks directly to CoreView’s auditing capabilities. “If I do not know what is going on, then how on earth do I investigate issues? One core security pillar is ‘know thyself’,” said CoreView Solution Architect Matt Smith. “From a Microsoft perspective, they keep application data for 30 days, and just announced that they will increase this to one year, but only for E5 licenses. How can I be effective if I cannot even tell you who signed in a year ago?” The answer is that IT should keep records on access attempts for as long as they have the O365 platform.
Once a data breach or malware infection occurs, you need to find out everything about it. That is where basic security tools fall short. “From a forensic standpoint, anti-virus will tell you that Joe’s PC had a virus on Monday. However, there is no anti-virus platform in the world that shows exactly what he touched since he got that virus,” Smith said.
CoreView, though, quickly gets to the heart of the matter. A CoreView-enabled administrator can choose ‘file access’ and see all the files, the names, and the paths to the files that were accessed after the breach or malware attack. “CoreView can save off these reports as well. The next step is to track where the malware may have spread. For instance, you can see all the files people have accessed within the OneDrive platform where the malware may have landed. These people are now suspected of having malware because one particular user touched this file after he was reported as having malware. The last thing an admin can do is look at OneDrive reports and then external invitations,” Smith argued.
3. Block E-Mail Breaches
Email is the way the exploits based on the new Windows 10 exploits are expected to spread, and get end users to connect to malicious servers sites or download bad code – and mail is already the most common way hackers breach systems. Insecure mailboxes and poor e-mail user practices are perhaps your biggest security exposure.
Monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other user’s mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Mailbox security is compromised by spam and malicious malware such as these new exploits. CoreView discovers instances of malware sent from your organization via e-mail – and tracks this spread in minute detail.
As this new vulnerability will be executed via spoofed email, shops can use CoreSecurity message trace to find what users may have received these messages.
4. Tracking and Blocking Spread of Malware
Attacks on this new Windows 10 vulnerability will likely break right through the best anti-virus/anti-malware defenses. “CoreView addresses this by providing auditing tools for cloud operations. Any anti-virus software in the world can show there is malware on a particular device. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions,” Smith said. No anti-virus or end point protection tools do this.
5. Reporting on Patches
The feds are demanding agencies report on patching progress and completion – do it soon and do it thoroughly. But how do you know each device was updated? CoreView device reports validate all workstations for appropriate versions of up-to-date software, including the patch status of each machine.
Learn More Protecting Your Environment CoreView
Learn more about patch reporting and dealing with attacks with a CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.