Month: August 2024

5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and privacy are faced with safeguarding this technology while its development, deployment, and usage are still evolving.

To help, the NIST National Cybersecurity Center of Excellence (NCCoE) has launched the Applying 5G Cybersecurity and Privacy Capabilities white paper series. The series targets technology, cybersecurity, and privacy program managers within commercial mobile network operators, potential private 5G network operators, and organizations using and managing 5G-enabled technology who are concerned with how to identify, understand, assess, and mitigate risk for 5G networks. In the series we provide recommended practices and illustrate how to implement them. All of the capabilities featured in the white papers have been implemented in the NCCoE testbed on commercial-grade 5G equipment.

We are pleased to announce the following white paper which introduces the series:

Applying 5G Cybersecurity and Privacy Capabilities—Introduction to the White Paper Series

This publication explains what you can expect from each part of the series: information, guidance, recommended practices, and research findings for a specific technical cybersecurity or privacy-supporting capability available in 5G systems or their supporting infrastructures.

Simultaneously, we are also publishing the first technical white paper of the series:

Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI)

This publication describes enabling SUCI protection, an optional capability new in 5G which provides important security and privacy protections for subscribers. 5G network operators are encouraged to enable SUCI on their 5G networks and subscriber SIMs and to configure SUCI to use a non-null encryption cipher scheme; this provides their customers with the advantages of SUCI’s protections.

Feedback Wanted

We welcome your input and look forward to your comments by September 16, 2024. We invite you to join the 5G Community of Interest (COI) and we’ll notify you when a paper in the series is being released. 

Coming Soon: Using Hardware-Based Security to Ensure 5G System Platform Integrity Whitepaper!

Download and Comment Now

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Security, Compliance, and Identity (SCI) Fundamentals to master the basics of SCI. You’ll learn about identity and access management while exploring compliance management fundamentals and solutions. Learn the technical skills, knowledge, and insights you need to help protect people and data in your organization with comprehensive Microsoft Security solutions. After completing this training, you’ll be eligible to take the Security, Compliance, and Identity Fundamentals certification exam at 50% off the exam price. You will have the opportunity to: Dive into comprehensive threat prevention, detection, and response capabilities in Microsoft Defender. Discover the latest identity and access innovations and how to strengthen your defense strategy with Microsoft Entra. Understand how to protect personal data and stay on top of shifting privacy requirements with Microsoft Priva. Learn more about governance, protection, and compliance solutions for your organization’s data with Microsoft Purview. See how to uncover sophisticated threats and respond decisively with Microsoft Sentinel. Jump-start preparation for the Microsoft Security, Compliance, and Identity Fundamentals certification exam. Join us at an upcoming two-part Security, Compliance, and Identity Fundamentals event: Delivery Language: English Closed Captioning Language(s): English
September 12, 2024 | 12:00 PM – 3:15 PM | (GMT-05:00) Eastern Time (US & Canada)  September 13, 2024 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada)   September 24, 2024 | 12:00 PM – 3:15 PM | (GMT-05:00) Eastern Time (US & Canada)  September 25, 2024 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada)

Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

Ransomware remains a prevalent threat as threat actors use extortion tactics to pressure victim organizations to pay the ransom. They deny access to encrypted files, steal data, and threaten a data breach by posting on public ransomware leak sites or releasing the stolen data to regulators, clients, or patients. The NJCCIC continues to receive reports of ransomware incidents impacting New Jersey public sector organizations, including local governments and educational institutions, and private sector organizations, including healthcare, manufacturing, construction, and third-party vendors providing critical services and resources to organizations.

For the first half of 2024, ransomware incidents reported to the NJCCIC included Akira, Play, Qilin, INC, and Clop ransomware; however, LockBit 3.0 (Black) ransomware dominated the cyber threat landscape. Threat actors exploited vulnerabilities to infiltrate systems and networks by targeting organizations running a virtual private network (VPN) service, primarily lacking proper MFA implementation. Other reported points of entry were users clicking on phishing and malvertising links.

Once threat actors gained unauthorized access, they infiltrated the target organization, gained access to internal systems, and moved laterally to other critical systems. Once they exfiltrated data, they encrypted systems and servers, shutting down access to essential services and files containing personally identifiable information (PII) and financial information. Other impacted systems and information included emergency communications, transportation, human resources, employee records, payroll, and student information. Additionally, the ransomware incidents affected onsite backups; therefore, victim organizations had to resort to offsite backups, if available and viable for restoration.

Heading into the second half of 2024, the NJCCIC has received similar ransomware reports of LockBit 3.0 (Black) and Rhysida ransomware as threat actors continue targeting public sector organizations and phishing for PII and VPN credentials.

Recommendations

Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Avoid clicking links, responding to, or otherwise acting on unsolicited emails. Keep systems up to date and apply patches after appropriate testing. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

Image Source: Any.Run LinkedIn Blog Post

A sophisticated phishing campaign targeting Microsoft Teams was identified using the Tycoon 2FA Phish-kit phishing-as-a-service (PhaaS) platform to steal session cookies and bypass two-factor authentication (2FA) protection. After clicking on a phishing link, the victim is prompted to enter their email on the threat actor-controlled phishing page, MSOFT_DOCUSIGN_VERIFICATION_SECURED-DOC_OFFICE[.]zatrdg[.]com (Any.Run interactive analysis ). If the email used to authenticate is on the specified target list, the victim is redirected to an obfuscated phishing domain, such as donostain[.]com, requesting their Microsoft account password. This website redirects to a Tycoon 2FA phishing page or a legitimate domain. Another recent tactic is exploiting “Error 500” or “no Internet Connection” messages. After attempting to refresh the page, the victim is redirected to a fake Microsoft 365 Outlook phishing website to steal credentials if entered. Some of these phishing websites may also include a CAPTCHA solution.

An additional recently identified campaign uses Amazon Simple Email Service (SES) and high-profile redirects to steal user credentials. The attack chain is designed to avoid detection, involving multiple stages and using compromised domains and services. According to a phishing sample analysis, the attack begins with an email from an Amazon SES client. These emails often contain a valid signature, adding to their appearance of legitimacy. The email usually includes two empty PDF attachments and a message from Docusign stating, “You have received a document to review and sign.” Despite occasionally failing SPF and DKIM checks, these emails may still appear legitimate due to the compromised source. Based on a report by Any.Run, when the “Review Document” link is clicked, victims are rerouted through a complex series of URLs to obscure the final phishing domain.

Recommendations

Avoid relying solely on SPF and DKIM checks to validate emails, as the source email may be compromised. Avoid responding to messages, clicking links, or opening attachments from unknown or unverified senders, and exercise caution with emails from known senders. Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds. Navigate directly to legitimate websites and verify before submitting account credentials or providing personal or financial information. Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Reduce your digital footprint so that threat actors cannot easily target you. Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.

The NJCCIC received reports involving elder fraud scams that reflect recent tactics observed by the FBI. The scammers typically employ a multi-layered approach, impersonating associates of a technology company, a financial institution, and a US government official in sequence, a tactic commonly referred to as the “Phantom Hacker ” scam. The scammers may claim that the victim’s financial accounts were compromised or are at risk of being compromised, and, as a result, their funds need to be protected. In one reported incident, the scammers claimed to be federal investigators who had obtained a warrant for the arrest of the victim shortly after a close family member passed away.   The scammers typically persuade victims to liquidate their assets into cash or invest in gold, silver, or other precious metals. In some instances, the victims were instructed to wire funds to a precious metal dealer who claimed to ship the purchased commodities to the victims’ residences. Once a victim obtains the cash or precious metals, the scammers send couriers to retrieve the items at the victim’s home or a public location. The victim is assured that their assets will be protected in a secure account; however, the scammers sever contact shortly after the transaction, causing the victims to suffer significant financial losses. Between May and December 2023, the FBI’s Internet Crime Complaint Center (IC3) observed a significant increase in these fraudulent activities, resulting in combined losses exceeding $55 million. A similar incident was recently reported to the New Jersey State Police, involving a scammer who stole $13,000 from a victim in Hunterdon County, NJ, after the victim received a virus alert pop-up notification.   Recommendations   Educate yourself and others about these and similar scams. The US government and legitimate businesses will never request you to purchase gold or other precious metals. Refrain from clicking on or contacting unknown telephone numbers found in unsolicited pop-up notifications, or links and attachments delivered via emails or text messages. Avoid downloading software at the request of unknown individuals, and refrain from allowing them to access your computer. Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds. Report malicious cyber activity to the FBI’s IC3 and the NJCCIC as quickly as possible to increase the likelihood of recovering funds. Be sure to include as much transaction information as possible, such as: The name of the person or company that made contact. Methods of communication used, including websites, emails, and telephone numbers. Any bank account numbers and the recipients’ names who received the wired funds. The name and location of the metal dealer company and the receiving account number if funds were wired to buy precious metals. Victims aged 60 or over who require assistance filing an IC3 complaint can contact the DOJ Elder Justice Hotline at 1-833-FRAUD-11 (833-372-8311).   .

NIST has released the initial public draft of Interagency Report (IR) 8532, Workshop on Enhancing Security of Devices and Components Across the Supply Chain. This report summarizes the presentations and discussions at a recent workshop on semiconductor security. Participants at the in-person workshop discussed existing and emerging cybersecurity threats and mitigation techniques for semiconductors throughout their life cycle.

The workshop obtained valuable feedback from industry, academia, and government to inform NIST’s development of cybersecurity and supply chain standards, guidance, and recommended practices. The discussion focused on semiconductor development and highlighted cybersecurity measurements and metrics that utilize reference data sets to facilitate the testing, attestation, certification, verification, and validation of semiconductor components. It also emphasized the use of automated cybersecurity tools and techniques to secure manufacturing environments throughout the development life cycle.

The public comment period for this draft is open through September 16, 2024. See the publication details for a copy of the draft and instructions for submitting comments.

Read More

OVERVIEW:
Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution.

• Ivanti Avalanche is a mobile device management system.
• Ivanti Neurons for ITSM is an IT Service Management Software.
• Ivanti Virtual Traffic Manager is a software-based application delivery controller.

Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

THREAT INTELLEGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Ivanti Avalanche versions prior to 6.4.4
• Ivanti Neurons for ITSM without supplied patch.
• Ivanti Virtual Traffic Manager prior to versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, 22.7R2

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium 

Businesses:

• Large and medium business entities: High
• Small business entities: Medium 

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Ivanti Products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows: 

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve for remote code execution. (CVE-2024-37373)

Details of lower severity vulnerabilities:

• Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. (CVE-2024-7593)
• An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information. (CVE-2024-7569)
• Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user. (CVE-2024-7570)
• A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. (CVE-2024-37399)
• An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. (CVE-2024-36136)
• XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. (CVE-2024-38653)
• Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion. (CVE-2024-38652) 

Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. 

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
     
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
     
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
     
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
     

REFERENCES:

Ivanti:
https://www.ivanti.com/blog/august-security-update
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373?language=en_US
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570?language=en_US&_gl=1*qipm4q*_gcl_au*Mjc2NTU1MTc5LjE3MjM1NzA2NjQ.
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US&_gl=1*qipm4q*_gcl_au*Mjc2NTU1MTc5LjE3MjM1NzA2NjQ.

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37373
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37399
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38653

Register now >

August 28 – Microsoft Entra Verified ID: Seamless Remote Onboarding & Secure Access! August 29 – Microsoft Sentinel | What’s New in Microsoft Sentinel

Microsoft Copilot for Security Instructional Demo Videos 11 Instructional videos focusing on Copilot features. View the playlist HERE GitHub Azure Network Security Microsoft Defender for Cloud Microsoft Sentinel Microsoft Defender XDR Microsoft Defender for Cloud Apps   Latest Blog Posts & Videos Check out our latest content below: Microsoft Defender XDR -Monthly News -Aug 2024 Leveraging Azure DDoS protection with WAF rate limiting Microsoft Defender For Cloud – Monthly News – August Detect compromised RDP sessions with Microsoft Defender for Endpoint Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection Ninja Training Azure Network Security Microsoft Defender for Cloud Microsoft Sentinel Microsoft Defender for IoT Microsoft Defender for Cloud Apps Microsoft Defender Threat Intelligence

OVERVIEW:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Windows Secure Kernel Mode
• Windows Kerberos
• Microsoft Windows DNS
• Windows TCP/IP
• Microsoft Office
• Azure Connected Machine Agent
• Windows Kernel
• Windows Power Dependency Coordinator
• Azure Stack
• Azure Health Bot
• Windows IP Routing Management Snapin
• Windows NTFS
• Microsoft Local Security Authority Server (lsasrv)
• Windows Routing and Remote Access Service (RRAS)
• Microsoft Bluetooth Driver
• Microsoft Streaming Service
• Windows Network Address Translation (NAT)
• Windows Clipboard Virtual Channel Extension
• Windows NT OS Kernel
• Windows Resource Manager
• Windows Deployment Services
• Reliable Multicast Transport Driver (RMCAST)
• Windows Ancillary Function Driver for WinSock
• Windows WLAN Auto Config Service
• Windows Layer-2 Bridge Network Driver
• Windows DWM Core Library
• Windows Transport Security Layer (TLS)
• Microsoft WDAC OLE DB provider for SQL
• Windows Security Center
• Azure IoT SDK
• Windows Network Virtualization
• Windows Mobile Broadband
• Windows Update Stack
• Windows Compressed Folder
• Microsoft Dynamics
• .NET and Visual Studio
• Microsoft Office Visio
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office Outlook
• Windows App Installer
• Windows Scripting
• Windows SmartScreen
• Windows Kernel-Mode Drivers
• Microsoft Office Project
• Azure CycleCloud
• Windows Common Log File System Driver
• Microsoft Teams
• Windows Print Spooler Components
• Line Printer Daemon Service (LPD)
• Microsoft Copilot Studio
• Windows Mark of the Web (MOTW)
• Windows Cloud Files Mini Filter Driver
• Microsoft Edge (Chromium-based)
• Windows Initial Machine Configuration

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug

A Denial of Service in CLFS.sys in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated low-privilege user to cause a Blue Screen of Death via a forced call to the KeBugCheckEx function.

CWE-ID	CWE Name	Source
CWE-1284	Improper Validation of Specified Quantity in Input