NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture.

Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource.

The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks.

All too often, credentials are stolen and are used by threat actors to gain access to enterprise networks undetected. Threat actors often have access to networks for days, weeks, or even months before an attack is detected, during which time they are free to move laterally and compromise an entire network. The increase in remote working, bring your own device initiatives and the use of cloud-based assets that are not located within the traditional network boundary has made the traditional perimeter-based approach to network security less effective.

A zero trust architecture helps to solve these issues and improve cybersecurity defenses. According to NIST, “zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

The guidance document provides an abstract definition of zero trust architecture (ZTA), covers the zero trust basics and logical components of zero trust architecture, and includes general deployment models and use cases where the zero trust approach can improve an organization’s information technology security posture.

In the guidance document NIST explains how the zero trust model can be combined with the NIST Risk Management Framework, NIST Privacy Framework, and other existing federal guidance and outlines how organizations can migrate to zero trust architecture.

Initially, organizations should focus on restricting access to resources to individuals who require access to perform their work duties, and to only grant minimal privileges such as read, write, delete. In many organizations with perimeter-based defenses, individuals tend to be given access to a much broader range of resources once they have been authenticated and logged in to an internal network. The problem with this approach is unauthorized lateral movement is too easy, either by internal actors or external actors using stolen credentails.

The zero trust security model assumes an attacker is present within an environment, so there is no implicit trust. Enterprise networks are treated the same as non-enterprise networks. Under the zero trust approach, organizations continually analyze and evaluate risks to assets and business functions and then enact protections to mitigate those risks.

Migrating to zero trust is not about the wholesale replacement of infrastructure or processes, rather it is a journey that involves incrementally introducing zero trust principles, processes, technology solutions, and workflows, starting with protecting the highest value assets. Most organizations will remain in a hybrid zero trust and perimeter-based environment for some time while they implement their IT modernization plan and fully transition to zero trust architecture.

The guidance document is the result of collaboration with several federal agencies and was overseen by the Federal CIO Council. The document was developed for enterprise security architects, but is also a useful resource for cybersecurity managers, network administrators, and managers to gain a better understanding of zero trust.

The publication can be downloaded from NIST on this link.

The post NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses appeared first on HIPAA Journal.

The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited.

The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI.

The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run until January 2023, and the cost of continued support increases the longer a customer participates in the program. While security updates are being released for customers that have signed up for the ESU program, the FBI and Microsoft strongly advise users of Windows 7 to upgrade to Windows 10 or a fully supported operating system.

Updating an operating system is not without its challenges. New devices may need to be purchased and new software comes at a cost, but the cost will be negligible compared to the cost of the loss of intellectual properly and threats to an organization from the continued use of an operating system that is no longer supported.

Many organizations around the world are still using Windows 7 on at least some of their Windows devices. Data from Statcounter indicates around 20% of all Windows devices are still running Windows 7, even though free security updates are no longer being issued. An open source report published in May 2019 found that 71% of Windows devices used in healthcare were using Windows 7 or other operating systems that became unsupported in January 2020.

The FBI warned that increases in successful cyberattacks have been observed in healthcare when operating systems have reached end of life. When support for Windows XP ended on April 28, 2014, the industry saw a large increase in the number of exposed and compromised healthcare records the following year.

The FBI explained that cybercriminals are continuing to search for entry points into legacy Windows operating systems in order to leverage Remote Desktop Protocol (RDP) exploits. In May 2019, following the discovery of the BlueKeep vulnerability, Microsoft released patches for all supported operating systems and also a patch for Windows XP and other unsupported operating systems in order to prevent a WannaCry-style attack.  Since the vulnerability was discovered, working exploits have been developed to exploit the flaw and are still being used to attack unpatched Windows devices.

Vulnerabilities will be found and exploited on unpatched systems. When Microsoft released the MS17-010 patch to address several SMBv1 vulnerabilities in March 2017, many organizations were slow to apply the patch, even though there was a high risk exploitation. The WannaCry ransomware attacks exploiting the flaws started in May 2017. 98% of systems infected with WannaCry were running Windows 7.

“With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target” warned the FBI.

When organizations use an actively supported operating system, patches are automatically made available to fix newly discovered security vulnerabilities. Upgrading to a supported operating system is one of the most important steps to take to improve security.

“Defending against cyber criminals requires a multilayered approach, including validation of current software employed on the computer network and validation of access controls and network configurations,” explained the FBI in the alert.

In addition to upgrading the operating system and applying patches promptly, organizations should ensure antivirus software is installed, spam filters are used, and firewalls should be implemented, properly configured, and kept up to date.

Network configurations should be audited and any computer systems that cannot be updated should be isolated. The FBI also recommends auditing the network for systems using RDP and closing unused RDP ports. 2-factor authentication should be implemented as widely as possible and all RDP login attempts should be logged.

If there are reasons why Windows 7 devices cannot be updated and devices cannot be completely isolated, they should not be accessible over the internet and organizations should enroll in Microsoft’s ESU program.

The post FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System appeared first on HIPAA Journal.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns.

Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government.

CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation.

Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two files: A loader that is started as a service, which decrypts and executes a second file in the memory. The second file is the main Taidoor Remote Access Trojan (RAT). The Taidoor RAT provides gives the attackers persistent access to enterprise networks and allows data exfiltration and other malware to be downloaded.

CISA has published a Malware Analysis Report that includes confirmed indicators of compromise (IoCs), suggested mitigations, and recommended actions that can improve protection against Taidoor malware attacks. In the event of an attack, victims should give the activity the highest priority for enhanced mitigation and the attack should be reported to either CISA or FBI Cyber Watch.

CISA recommended actions for administrators include maintaining up to date antivirus signatures, keeping operating systems and software patched, disabling file and printer sharing (or using strong passwords if file and printer sharing is needed), restricting the use of admin privileges, exercising caution when opening email attachments, implementing a strong password policy, enabling firewalls on all workstations to deny unsolicited connection requests, disabling unnecessary services on workstations, monitoring users’ web browsing habits, and scanning all software downloaded from the Internet prior to execution.

The IOCs, mitigations, and recommendations can be found here.

The malware warning follows a joint alert issued by CISA and the FBI in May about attempts by Chinese hackers to gain access to the networks of organizations involved in COVID-19 research and vaccine development to steal intellectual property and public health data. The agencies have observed an increase in attacks spreading malware under the guise of updates on COVID-19 and spear phishing attacks using COVID-19 themes lures. In July, the Department of Justice announced that two Chinese hackers had been indicted for hacking US healthcare firms, government agencies, medical research institutions and other targets.

The post CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT appeared first on HIPAA Journal.

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving NetWalker ransomware. NetWalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.

The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.

The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).

The threat group is also known to attack insecure user interface components in web applications. Mimikatz is deployed to steal credentials, and the penetration testing tool PsExec is used to gain access to networks. Prior to encrypting files with NetWalker ransomware, sensitive data is located and exfiltrated to cloud services. Initially, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s computer and more recently through the website.dropmefiles.com file sharing service.

Earlier this year, the NetWalker operators started advertising on hacking forums looking to recruit a select group of affiliates that could provide access to the networks of large enterprises. It is unclear how successful the group has been at recruiting affiliates, but attacks have been increasing throughout June and July.

The FBI has advised victims not to pay the ransom and to report any attacks to their local FBI field office. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” explained the FBI in the alert. “Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

A range of different techniques are being used to gain access to networks so there is no single mitigation that can be implemented to prevent attacks from being successful. The FBI recommends keeping all computers, devices, and applications up to date and applying patches promptly. Multi-factor authentication should be implemented to prevent stolen credentials from being used to access systems, and strong passwords should be set to thwart brute force attempts to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be conducted.

To ensure recovery from an attack is possible without paying the ransom, organizations should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data resides. Ideally, create more than one backup copy and store each copy in a different location.

The post FBI Issues Flash Alert Warning of Increasing NetWalker Ransomware Attacks appeared first on HIPAA Journal.