Securing Your IT Infrastructure: The Critical Role of Server Patching

In the ever-evolving landscape of information technology, the security of your servers is paramount. One key aspect of maintaining a secure IT environment is regular server patching. In this blog post, we will explore the importance of patching servers and delve into a specific type of vulnerability, ‘buffer overflow,’ and the current warnings for GLIBC_TUNABLES from The Cybersecurity and Infrastructure Security Agency (CISA). 

Server patching involves applying the latest software updates, security patches, and bug fixes to the operating system, applications, and other software components on your servers. This ongoing process is crucial for several reasons, including: 

Security Enhancements

Patches often address known vulnerabilities in software. Failing to apply patches promptly can leave your servers exposed to exploitation by cybercriminals seeking to take advantage of these vulnerabilities. 

Performance Optimization

Updates may include performance improvements and optimizations that ensure your servers run more efficiently. This can lead to better overall system performance and responsiveness. 

Compatibility with New Technologies

As technology advances, software developers release updates to ensure compatibility with the latest technologies. Regular patching ensures your servers can seamlessly integrate with new hardware and software. 

Compliance Requirements

Many industries and regulatory bodies mandate that organizations adhere to specific security standards. Regular server patching is often a requirement for meeting these compliance standards.

Change Control

In a live environment where servers are actively supporting critical business operations, any disruption or downtime can have significant consequences. So, while the concept of patching is simple, patching production IT servers is a challenging and intricate process that necessitates careful consideration and adherence to ‘change control’ protocols. The complexity arises when balancing the imperative of applying security patches promptly with the potential risks associated with introducing changes to a stable system. Change control, a systematic process of managing changes to an IT environment, is crucial in this context, as it provides a structured approach to managing alterations to the production environment. Change control involves meticulous planning, testing, and validation of patches to ensure they do not introduce unforeseen issues or conflicts with existing configurations. Yet, they simultaneously manage to fix discovered vulnerabilities the patch might be intended to mitigate. 

Buffer Overflow Vulnerability

Vulnerabilities come in all shapes and sizes. One common exploitable vulnerability is ‘buffer overflow.’ A buffer overflow exploit is a sophisticated cyberattack that takes advantage of a programming flaw in software to compromise a system’s security. The vulnerability lies in the improper handling of data input by a program, typically due to inadequate bounds checking. In a buffer overflow attack, an attacker sends more data than a program’s buffer (a temporary storage area) can accommodate, leading to an overflow. The excess data spills into adjacent memory regions, corrupting or overwriting critical data structures, including the program’s execution stack. By carefully crafting the overflowed data payload, the attacker can manipulate the program’s behavior and inject malicious code into the system’s memory. When the compromised program continues its execution, it unwittingly runs the injected code, granting the attacker unauthorized access, control, or the ability to execute arbitrary commands on the targeted system. Buffer overflow exploits can be particularly dangerous as they often allow attackers to bypass security mechanisms, escalate privileges, and compromise the integrity and confidentiality of the system. 

One such buffer overflow is the subject of a recent CISA alert. In this alert CISA calls for immediate patching of Linux systems to mitigate a vulnerability in the GLIBC_TUNABLES Environment Variable. This variable in the GNUC Library allows system administrators to dynamically adjust various parameters. GNU-C Library, also known as GNU Lib C, or GLIBC, is the GNU ()Project’s implementation of the C library, a crucial component of the GNU operating system and many Linux distributions, providing essential functions for programs written in the C programming language. 

In what might only be labeled as a moment of comedic relief, the vulnerability has been dubbed “Looney Tunables.” First discovered in October, this vulnerability has been actively exploited by threat actor group Kinsing, a.k.a. Money Libra, to deploy malware in containerized environments for cryptocurrency mining.  

The Importance of Patching

The importance of patching servers in an IT environment cannot be overstated. Regular server patching is a fundamental aspect of maintaining a secure infrastructure, protecting against known vulnerabilities, and ensuring compliance with industry standards. Understanding specific vulnerabilities, like buffer overflow issues in Linux, and utilizing features such as GLIBC_TUNABLES, empowers administrators to proactively enhance the security posture of their systems. By staying vigilant and proactive in server maintenance, organizations can mitigate potential risks and create a more robust and resilient IT environment. If you’d like assistance in developing a mature patching program as part of a comprehensive cybersecurity program, please contact Ntirety.

Balancing Transparency and Practicality Amidst CISA Call for Enhanced Cyber Incident Reporting

The Cybersecurity and Infrastructure Security Agency (CISA), led by Director Jen Easterly, made a compelling case for increased cyber incident reporting in late 2023. While the intent behind this initiative is commendable – and the need for improved cybersecurity measures evident – it’s crucial to critically assess the proposed approach and its potential implications, as it could become a double-edged sword for organizations.

The Urgency of Cyber Incident Reporting

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) due to the escalating scale, sophistication, and impact of cybersecurity threats. Organizations, critical infrastructure, and governments continue to face looming risks across the digital landscape, and timely detection and response are pivotal in mitigating the damage caused by cyber incidents.

Easterly’s push for mandatory incident reporting aims to address this challenge by fostering transparency and information sharing among organizations. The rationale is that by collecting and analyzing data on cyber incidents, CISA can offer better guidance and support to organizations, enabling them to bolster their defenses and respond more effectively to attacks.

This much-needed initiative has been anticipated for some time, signifying a union between the private sector and national organizations. However, the adoption of such a standard is a journey that must acknowledge certain realities.

The Potential Challenges

There are several potential challenges associated with mandatory cyber incident reporting that merit consideration:

  1. Compliance Burden: Requiring all organizations, regardless of size or industry, to report every cyber incident can create a significant compliance burden. Smaller organizations with limited resources may struggle to meet reporting requirements, diverting their attention and resources from other cybersecurity efforts.
  2. Data Security Concerns: Sharing sensitive information about cyber incidents raises concerns about data security and privacy. Organizations may be hesitant to disclose details of a breach that could expose them to legal or reputational risks. Striking a balance between transparency and data protection is a delicate task.
  3. Potential for Misuse: The information collected through mandatory incident reporting could be misused if not handled carefully. It might inadvertently provide cybercriminals with insights into vulnerabilities, tactics, and targets. There is also a risk of sensitive information being leaked or exploited by malicious actors.
  4. Reporting Fatigue: An influx of incident reports could overwhelm CISA and other relevant agencies, potentially leading to delayed response times or a backlog of cases. It might also result in “reporting fatigue,” where organizations hesitate to report incidents due to perceived complexity and time requirements.
  5. Resource Allocation: Organizations must allocate resources judiciously, focusing on threat prevention, detection, and response. The additional administrative and reporting burden could divert resources from proactive cybersecurity measures, and potentially leave organizations more vulnerable to attacks.

At this stage, the proposed initiative appears to have shortcomings in addressing these risks. It’s crucial to carefully consider the potential drawbacks and unintended consequences of such a mandate.

The Way Forward: Collaborative Solutions

Effective collaboration is essential for fostering a productive partnership between Government and Industry, with several key steps:

  1. Education and Training: Both government and industry can invest in training programs to build a highly skilled cybersecurity workforce and facilitate a better understanding of each other’s needs and constraints.
  2. Shared Frameworks: Developing standardized frameworks for incident reporting, threat intelligence sharing, and vulnerability disclosure can simplify processes for both sides and reduce legal concerns.
  3. Seamless Communication: Enhanced communication channels between government agencies and tech companies can streamline the flow of information. Regular dialogues and joint exercises can enhance mutual understanding.
  4. Incentives and Support: Governments can offer incentives, such as tax breaks or grants, to encourage the tech industry to invest in cybersecurity. Public-private partnerships can also be formed to bolster collective defense.
  5. Transparency: Promoting transparency in decision-making processes and prioritizing it in incident reporting when it doesn’t jeopardize national security can support these efforts.

Genuine Concern: Bureaucracy Vs. Security

The call for increased cyber incident reporting by CISA is driven by a genuine concern for national cybersecurity and the safety of critical infrastructure. Striking the right balance between transparency and practicality is, however, key. While incident reporting can enhance our collective understanding of cyber threats and responses, it must be implemented in a way that doesn’t unduly burden organizations or compromise data security. Moreover, it should be accompanied by robust support mechanisms, including guidance on what and how to report, as well as resources to help organizations bolster their cybersecurity defenses.

In the ever-evolving landscape of cybersecurity, collaboration between government agencies and private organizations is crucial. However, achieving the right balance between security, privacy, and compliance is a complex challenge that requires careful consideration and ongoing dialogue among all stakeholders involved.

This article was originally published in Forbes, please follow me on LinkedIn.

Cyber Everything: How U.S. Agencies Can Strengthen Resilience Against Attacks

It is not just early hurricanes, heat waves, and droughts we must worry about. A tumultuous cyber summer has descended upon us, marked by a surge in attacks against U.S. governmental agencies. The Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that multiple federal agencies fell victim to intrusions resulting from the MOVEit vulnerability. Reports indicate that sensitive systems were compromised, and classified information was potentially exposed.

Government computing systems are fortified with extensive redundancies, contingencies, and numerous controls behind the scenes, which makes a cyber event within this domain deeply unsettling. A successful attack implies the involvement of well-resourced and highly skilled threat actors, typically driven by espionage, political, or economic motives. Their ability to breach government systems highlights their unwavering pursuit of sensitive information – and the urgent necessity for stronger cyber defenses for government entities. Beyond the government realm, it’s clear a fundamental paradigm shift is necessary to confront the evolving threat landscape effectively.

Agencies Are Not Alone

Every single industry confronts similar digital threats. This event illustrates that no one is immune to cyberthreats, and to say otherwise is intellectually dishonest. To adapt to today’s complex matrix of challenges and address imminent dangers ahead, organizations must collaborate and foster a cybersecurity-first mindset. We can take several long-term considerations from the onslaught against government agencies:

  1. Public-Private Collaboration: Cybersecurity is unquestionably a shared responsibility, necessitating collaboration between governments, private sector entities, and cybersecurity experts. Establishing partnerships that facilitate information sharing, threat intelligence exchange, and joint incident response will strengthen our collective ability to detect, prevent, and respond to cyber threats effectively. The private sector can offer valuable lessons and technology to agencies, and vice versa.
  2. Stronger International Cooperation: Like the internet itself, cyber threats transcend borders. This means effective mitigation requires global cooperation. Encouraging international collaboration through frameworks, treaties, and diplomatic efforts promotes the exchange of best practices, harmonizes cybersecurity standards, and facilitates joint investigations and prosecutions of cybercriminals.
  3. Continuous Learning and Adaptation: Cultivating a culture of continuous learning, knowledge sharing, and professional development empowers cybersecurity teams to remain vigilant and resilient in the face of emerging threats. As the cybersecurity landscape rapidly evolves, it’s necessary for professionals across organizations to stay informed, learn from incidents, and adapt their strategies accordingly.
  4. Security by Design: Emphasizing the critical nature of this component, security must be embedded into every layer of our digital infrastructure. Adopting secure coding practices, conducting regular security assessments, and implementing secure configurations throughout networks, applications, and systems can help minimize vulnerabilities and reduce the attack surface.
  5. Proactive Threat Intelligence: Organizations must invest in sophisticated threat intelligence capabilities to stay ahead of emerging threats and anticipate potential attacks. Approaches including leveraging threat intelligence feeds, proactive threat hunting, and information sharing partnerships to provide valuable insights for effective threat detection and response.
  6. Importance of Cyber Resilience: The targeted attack on the US government serves as a resounding call to action for investment in cyber resilience. While significant effort is often directed towards prevention, resilience should not be neglected. Cyber resilience encompasses not only preventative measures, but also incident response preparedness to ensure organizations can swiftly detect, contain, and recover from cyber incidents. Backups, procedures, and contingencies play a critical role in the recovery process.
  7. Continuous Monitoring and Incident Response: Who’s watching the roost? Implementing advanced security monitoring solutions enables timely detection and response to cyber threats. Organizations should establish robust incident response plans, conduct regular exercises, and continuously evaluate and refine response capabilities to minimize the impact of incidents.

On the Other Side

The threat landscape is in a constant state of flux, demanding an unwavering commitment to cybersecurity at all organizational levels. As we reflect on the recent cyberattack targeting the US government, it becomes evident that such incidents will persist. This event serves as a potent reminder that defending against cyber threats is an ongoing battle.

To navigate this ever-changing landscape effectively, organizations and their leadership must embrace foundational security mindsets and leverage advanced technologies. Organizations and agencies of all sizes need to remain vigilant and dedicated to protecting increasingly valuable digital assets and critical infrastructure. Together, we can prioritize cybersecurity as an integral part of our collective mindset and fortify our defenses to build a resilient future. With a steadfast commitment to security, we can navigate the challenging cyber landscape with confidence and protect what matters most.

This article was originally published in Forbes, please follow me on LinkedIn.

Rising global tensions put us a few lines of code away from a significant cyber event

Cyberthreats are dominating the news headlines. Ntirety CEO Emil Sayegh highlights the current ever-changing cyber landscape and how we can better protect our cyber infrastructures. 

Rising global tensions put us a few lines of code away from a significant cyber event 

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more. 

This growing environment of risks and increasingly aggressive adversaries demand our readiness, yet our national response continues to be largely reactive to threat conditions. History shows how a small event built on daisy-chained circumstances can kick off a catastrophe, or even a shooting war. 

As the war in Ukraine endures and as countries around the world align, a rising threat emerges from Russian sources, adversarial states, unscrupulous opportunists, and a shadow world of 5th column provocateurs. An 800% increase in activities was observed in the first 48 hours of the invasion alone, and scanning and probes on domestic network infrastructures are reaching historic highs. 

Cyber vs kinetic warfare 

This is a heightened condition of hostilities that will continue and extend beyond physical engagements. We must confront the fact that globally sourced cyberattacks are the essence of modern warfare. It is simpler, cheaper, and more impactful to run a cyberattack campaign than a traditional kinetic act of war. 

Cyberattack campaigns make strategic military sense since they are designed to impact communications, impact energy, cripple a population, military readiness, or make any number of dire situations worse. This is why we see intelligence agencies either directly or indirectly involved in cyberwarfare. 

As Russia becomes more isolated from the rest of the world, it is believed that even in the aftermath of current conflicts its leaders, intelligence agencies, and even rogue groups of unemployed hackers will be more apt to deploy cyberattacks, either in retaliation or simply for monetary gain. 

China has targeted the United States for decades and they have done so on every possible front. From the military, to business, to finance, to the global race for resources, China has leveraged every possible point using tools such as political influence, market manipulation, cyber intrusions, partnerships, and military threat. 

Throughout the industry, we can track countless advanced attacks and backdoors to their efforts. In the crosshairs of this force are state departments, contractors, and any organization it can hook itself into. In many cases, their aim is a lot more everlasting, as it is industrial espionage and the theft of intellectual property in addition to ransoms. 

Rebuilding Security 

We are in a position where even a minor escalation of cyberattack characteristics could cripple this nation and cause massive impacts on life and property. Our response positioning must equal and exceed the specter of the overall threats, and our readiness must be comprehensive. 

In addition to the ongoing Congressional efforts to improve our national cybersecurity, we must add the following tasks to the national cybersecurity mission: 

  • Fix the damage. We must put a priority on funding new security initiatives, with an emphasis on new technologies, the growth of intelligent protection, and services that can augment the baseline of overall security posture.
  • Training a nation Quality training systems must be made readily available that address modern kill-chain awareness, attack simulations, and advanced countermeasure techniques.
  • Greater collaboration We must expand the efforts of the Cybersecurity and Infrastructure Security Agency (CISA) to work with the community beyond early warning systems, and to help model comprehensive cybersecurity protection systems by leveraging technologies and services.
  • Pursue criminal activities We must continue to bring cases of cyber theft, cyberespionage, and cyberattack to the point of grand jury indictment. We need these cases as assets in defending our digital sovereignty, even when they will not result in fines or jail time.

Building a secure digital future is an essential task that demands success, and it should be one of our core missions as a nation. We must take measures to improve cybersecurity through increased knowledge, better technologies, and tactics that are built for the modern range of cyberthreat conditions. 

From mobile endpoints to applications, to identity, and onward to the cloud and infrastructure combined, safeguarding critical assets is a comprehensive task that requires the highest possible prioritization. The recent history of cyber-driven disruptions to critical services thus far has only been indicative of warnings of what could happen. 

We must face the threat that we are only a few lines of code away from a very significant event. Our readiness must improve immediately. 

 

Check out this piece, originally published in The Last Watchdog, here and follow me on LinkedIn.