Eliana Willis

Microsoft’s Defender for Endpoint support for spotting known security flaws in Android and iOS devices has now reached general availability.   The threat and vulnerability management features allows admins to monitor for known but unpatched bugs in Android and installed apps, while the feature can spot bugs in iOS, though not yet in installed apps, Microsoft notes in a blogpost. 

ZDNet Recommends

Microsoft’s Defender for Endpoint, formerly Defender Advanced Threat Protection, helps admins protect managed company-issued mobile devices and unmanaged BYO devices. SEE: A winning strategy for cybersecurity (ZDNet special report)The mobile threat and vulnerability is part of Defender for Endpoint mobile threat defense (MTD), which can monitor for malware, jailbroken iPhones, and help implement conditional access to corporate resources. The vulnerability management capabilities are richer for Android devices since it can run vulnerability assessments of Android OS versions of onboarded devices, as well as assess apps that are installed on these devices. For Android Enterprise with a work profile, only apps installed on the work profile are supported for the assessment. For other BYOD modes, vulnerability assessment of apps are not available. The vulnerability assessment is available for onboarded iOS and iPadOS versions on devices. The assessment of apps on iOS devices will be available in a later release, according to Microsoft.  

This mobile capability builds on Defender for Endpoint’s vulnerability assessments for network devices, such as Cisco IOS, IOS-XE, NX-OS, as well as Juniper’s JUNOS, HPE’s ArubaOS, and Palo Alto Networks’ PAN-OS.  Microsoft has also beefed up Defender for Endpoint capabilities to discover unmanaged mobile devices, PCs and network devices that connect to the corporate network.   Defender for Endpoint MTD vulnerability assessments in Microsoft 365 Defender offer security teams a device inventory that shows an overview of each device’s name, risk level, exposure level, OS, active status and onboarding status.  The vulnerability management dashboard gives an overall exposure score for specific vulnerabilities and recommended actions.  More

The FBI’s Internet Crime Center (IC3) is warning that scammers are exploiting verification weaknesses in job-focused networking sites to post legitimate looking ads, capture personal information and steal money from job seekers. Scammers “continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI warns in a new public service announcement. 

ZDNet Recommends

The bogus ads threaten to damage the impersonated firm’s reputation and financial loss for the job seeker. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)According to IC3’s complaint reports, the average reported loss from this scheme since early 2019 has been $3,000 per victim.In one notable scheme, attackers used a real company account on an employment-oriented network site to post fraudulent job postings.”The lack of strong security verification standards on one recruitment website allowed anyone to post a job on the site, including on official company pages,” the FBI notes.  

“Those postings would appear alongside legitimate jobs posted by the business, making it difficult for applicants and the spoofed company to discern which job posting was real and which one was fraudulent.”  The FBI doesn’t disclose which site lacked verification checks. However, BleepingComputer reported in August that a feature on LinkedIn allowed anyone to post a new job ad from the account of a known brand without providing verification. Additionally, admins of the company account couldn’t take down the fraudulent job ad.  Microsoft-owned LinkedIn last week published its latest Transparency Report, highlighting how many scam postings and fake accounts it took down in the six months to June 30, 2021. It claims its automated defenses blocked 97.1% of all fake accounts during the period, amounting to 11.6 million fake accounts stopped at registration. However, some 85,700 accounts were stopped after users reported them.   It also proactively removed 66.1 million spam and scam pieces of content on LinkedIn, but removed 232,000 pieces of such content after members reported them.   According to the FBI warning, scammers also replicated legitimate job postings, changed the contact information, and then posted the now-fraudulent job ad on other networking sites, The job recruitment scam ads borrow a lot of real information from impersonated hiring firms, including logos, images, email address and spoofed websites. In some cases, the scammers use the names and positions of actual company employees to improve online impersonation and then use those borrowed identities during the fee interview and hiring process. The FBI cites three examples of these scams over the past year where real employees names were used.As the FBI warned in 2020, fake job scams are an old trick, but online recruitment and teleconferencing apps have made it more lucrative and easy to create false interviews. Stolen personal information is used to take over a victim’s financial accounts, open new accounts, or use it to obtain fake driver’s licenses or passports. Victims are often offered work-from-home jobs and are sent a bogus employment contract to sign, and then asked to submit driver’s licenses, Social Security numbers, direct deposit information, and credit card information. Victims are asked to pay upfront for background checks, job training, and startup supplies and told they will be reimbursed in their first paycheck. After victims pay, the scammers vanish.  More

Samba has fixed a vulnerability in all versions of its software prior to version 4.13.17 that allowed for a remote actor to execute code as root, thanks to an out-of-bounds heap read write vulnerability.”The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability,” Samba said in its security notice. “Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.” Discovered by Orange Tsai from Devcore and labelled as CVE-2021-44142, Samba said the vfs_fruit module that improves compatibility for OS X clients is vulnerable in its default configuration. If the options fruit:metadata=netatalk or fruit:resource=file are set to something else, the vulnerability does not work, but doing so comes with a warning. “Changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost,” Samba said. Therefore, Samba says the preferred workaround to patching is to remove fruit from the configuration.

The vulnerability was given a near-perfect score of 9.9 in the CVSSv3.1 scale. Versions 4.13.17, 4.14.12, and 4.15.5 of Samba have been released to fix the issue. While traditional desktop and server users are able to update through the normal processes, those running NAS systems, particularly older ones, will need to wait for any potential firmware upgrades. Those releases also fix issues CVE-2022-0336 rated at 8.8 and CVE-2021-44141 rated at 4.2. For CVE-2022-0336, Samba Active Directory users that can write to an account’s servicePrincipalName (SPN) attribute are able to impersonate services thanks to a number of checks being skipped. “An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity,” Samba said. The CVE-2021-44141 issue relates to clients being able to use symlinks to work out if a file or directory exists in an area not exported through Samba. For the attack to work both SMB1 and Unix extensions need to be turned on — using SMB2 is enough to foil the attack. “SMB1 has been disabled on Samba since version 4.11.0 and onwards,” Samba said. Related Coverage More

Zero trust-type security, which no self-respecting security software provider doesn’t now provide, is a good leap forward in the never-ending battle against the bad hacker actors of the world. But it’s turning out not to be the complete answer to storing corporate data securely for an enterprise and its users.Zero trust enables enterprises to restrict access controls to networks, applications, and environments without sacrificing performance and causing user ire. A zero-trust approach trusts no one, no matter how high on a security clearance ladder he or she may be. Multiple entry codes will always be needed. But ZT still needs assistance in order to provide the 24/7 security and airtight access processes required by many enterprises, and AI is providing that help.This is where next-gen data protection providers such as Fortinet, Dell Technologies, Forcepoint, and Cohesity come into the picture, because they all bring multiple weapons to this problem. Many of those tools use AI to identify intruders and stop exploits faster than had been available previously.Cohesity is the latest to produce new capabilities augmenting ZT and aimed squarely at solving the rampant ransomware problem that so many organizations – both for-profit and nonprofit – have suffered in the last few years. Early on, cybercriminals focused only on encrypting a victim’s production data. Cohesity, among others, countered by enabling users to rapidly restore from backup data. Then, criminals started to destroy or encrypt backup volumes themselves. Cohesity countered with immutability. Now, bad actors are exfiltrating the data and threatening to post it on the dark web. To help its users address the latest threats, Cohesity unveiled at its Cohesity Connect conference the following SaaS offerings, which are now included in the company’s Data Management as a Service platform: Cohesity DataGovern: A data security and governance service that uses AI/ML to automate the discovery of sensitive data and detect anomalous access and usage patterns that could indicate a cyberattack in play — the key to thwarting bad actors trying to exfiltrate data. Project Fort Knox: A service that allows users to maintain an isolated copy of their data in a Cohesity-managed vault to improve data resiliency in the face of ransomware attacks. In addition to immutability, the company said, this gives users another way to thwart attackers trying to encrypt data. The four pillars of next-gen data managementCohesity CEO Mohit Aron told ZDNet that any provider describing its platform as “next-gen data management” must include the following four characteristics: Must be intuitive and simple to use at scale: Enterprise line-of-business employees should be able to use the platform at will to manage all their data optimally as needed.Must include zero-trust security: Specific ransomware protection is built into this. Must be AI-powered: “The platform needs to be smart, so when something goes down, it can auto-heal itself. It must have AI-based detection of ransomware. So the whole platform must be AI-powered,” Aron said.  Cohesity’s AI/ML-based classification software is used to identify sensitive data — including personally identifiable information (PII) — in backup and production data, and determine who has access to it, helping to harden environments before attacks occur.Must have third-party extensibility: “Users shouldn’t just be able to take benefit of the products that we build, but on this platform, they should be able to extend the power of this platform by third-party applications and integrations,” Aron said. 

“Relying on legacy backup as an insurance policy no longer is sufficient,” Cohesity Head of Product Matt Waxman said. “Users need next-gen technology that makes it easy to identify sensitive data, detect anomalies, isolate data, and stay ahead of modern threats. That’s what we’re focused on in our Threat Defense architecture.”  How the AI is implementedIn order for technologists, data architects, and software developers to learn more about how to utilize AI, ZDNet asked the following questions of Aron, who offered these details:ZDnet: What AI and ML tools are you using specifically? Aron: Applications of AI/ML are spread across multiple areas of our product, both on the SaaS side and on-premises. One set of use cases is the use of time series (looking at data over time) anomaly detection techniques that identify potential data security threats, such as a ransomware attack, and provide alerts and guidance to the administrator.   Another category is the use of a combination of supervised/semi-supervised models for security analytics and data governance. For proactive performance optimization use cases, we use a variety of time-series regression models. ZDnet: Are you using models and algorithms out of a box, such as DataRobot or other sources? Aron: For simpler use cases, we use off-the-shelf models with minimal tuning. For more complex ones, we integrate a set of off-the-shelf models to achieve better accuracy. ZDnet: What cloud services are you using? Aron: Our Data Management as a Service portfolio of SaaS offerings runs on AWS. Our data management platform also runs on Microsoft Azure and Google Cloud. ZDnet: Are you using the AI workflow tools that come with that cloud? Aron: We leverage SageMaker workflows where applicable; however, we do build our own workflows deployed on Kubernetes to support a variety of deployment models.ZDnet: How are you labeling data for the ML and AI workflows? Aron: For labeling data for supervised learning use cases, we leverage pre-labeled data collected from our wide customer base in combination with our own data labeling inference workflows for augmentation. ZDnet: Can you give us a ballpark estimate on how much data you are processing?Aron: We estimate that we process hundreds of millions of events on a daily basis for a variety of ML-enabled use cases. More

What a time to be alive! Hot on the heels of Forrester’s release of our definition of modern Zero Trust (ZT), the US Office of Management and Budget (OMB) released a memo entitled Moving the US Government Toward Zero Trust Cybersecurity Principles. Coincidence? Yes. A big deal? Also, yes. If executed as mandated, not only will government agencies meet the security maturity levels of large organizations in the private sector (they did just start hiring at that level, remember), they’ll also surpass them. This major transformative effort sets a new bar for all sectors and is a cause for celebration. It also breaks down barriers to Zero Trust adoption by providing security leaders across industries a set of priorities in line with each of the five Zero Trust pillars, which they can seek executive buy-in — made all the easier by a high-profile government mandate — and build into their budgets and timelines. Celebrate this strategy Zero Trust advocates should be jumping for joy over the federal government’s understanding of modern Zero Trust and how it is operationalized. Forrester designated seven operational domains of Zero Trust: five for security controls and two for interaction across the domains when we created Zero Trust eXtended (ZTX). The Cybersecurity and Infrastructure Security Agency (CISA) and the OMB recognize these seven and add one more: governance. So, for the past decade, where there was previously much confusion around how to define or operationalize Zero Trust, today there is an outpouring of aligned definitions, thanks to the White House Executive Order released in early 2021. Importantly, CISA’s view takes cues from Forrester’s original shaping of Zero Trust when we first defined it over 12 years ago. Our guns are pointing in the same direction. Second, the OMB strategy document has depth and breadth. In all these domains, OMB doesn’t just make the right call, it makes the bold call and doubles down on Zero Trust. Examples abound!
Forrester
There are a handful of half measures, which is fewer than we were expecting for government IT composed largely of islands of varying technological maturity. This includes encrypted email and some leeway on how people do ZT in the network (which is understandable, because the network is still the hardest part). Why This Matters 

Many organizations lack a cogent cybersecurity strategy; at least now US federal agencies aren’t among them. And while better cybersecurity is a worthy goal, don’t forget that sabers rattle in both a middle kingdom and the remains of a superpower, neither of which have qualms about cyber warfare. For many initiatives, the devil is in the details. That’s not true for the OMB Zero Trust strategy; as we mentioned above, it’s really good. Here, the devil will be in the execution. To what extent will every agency, contractors, and all their subcontractors operationalize Zero Trust? The short Among the timelines included in the OMB strategy are several short-term tasks, such as providing CISA and the General Services Administration any non-.gov hostnames (a mere 60 days) and the welcoming of external vulnerability reports for internet-accessible systems. Within one year, enforced password rotation should be kicked into the gutter, where it belongs. Crucially, within 60 days, agencies must submit to OMB and CISA an implementation plan for FY22–FY24 for OMB concurrence and a budget estimate for FY23–FY24. As budget estimates align with roadmaps, many a CISO will need help revising these quickly. The recent cybersecurity hiring improvements may help draw patriots from the private sector for some agencies, but others will have to draw on third parties for strategy consulting. Having worked with many Forrester clients (federal, state, and city government agencies), we know that agencies: Have different levels of technological and cybersecurity maturity. Will undergo Zero Trust maturity assessments and gap analyses based off the recently published CISA Zero Trust maturity model. Getting to the long term The OMB Zero Trust strategy mandates many significant (and challenging) security improvements for each federal agency over the long term. Two themes within the OMB strategy provide help for the government CISO: cloud and collaboration. Regarding collaboration, paraphrasing section two, “[teams] within and across agencies should collaborate to jointly develop pilot initiatives and governmentwide guidance on categorizing data based on protection needs, ultimately building a foundation to automate security access rules.” And it’s not just teams. The memorandum has sage words for the execs: “Agency chief financial officers, chief acquisition officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain Zero Trust capabilities. It is critical that agency leadership and the entire C-suite be aligned and committed to overhauling an agency’s security architecture and operations.” The OMB strategy also mentions “cloud” an eye-popping 44 times in its 29 pages. “Agencies should make use of the rich security features present in cloud infrastructure,” states the memorandum’s opening. Many of the mandates, to be sure, are more easily accomplished with cloud-based architectures (think: enterprise-wide management of anything). The OMB strategy has guidance around cloud for all five of the main Zero Trust pillars: identity, devices, networks, workloads, and data. Mark this day We have ordered additional rations of ibuprofen for the current and former Forrester analysts aligned to Zero Trust, as several have sprained themselves with virtual high fives and physical pats on their own backs in celebration of this memorandum. Hyperbole aside, let us observe and celebrate the monumental progress that the US federal government has achieved toward Zero Trust: in 2020, the NIST Zero Trust architecture (SP 800-207); in 2021, the Biden Executive Order on Zero Trust and the CISA Zero Trust maturity model; and now, in 2022, the most specific and ambitious document yet, the OMB Zero Trust strategy. This post was written by Senior Research Analyst David Holmes and it originally appeared here.  More