Breaking Down a Breach – What Happened and How to React 2

Hello and welcome to the Breaking Down a Breach series!  

It's time to select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks[1]: 

  • Probe  
  • Penetrate  
  • Persist  
  • Pivot 
  • Pilfer  

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth[2] and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it. 

Today, we will not be looking at a specific breach; rather, we will address a recently discovered vulnerability that has the potential for catastrophic impact worldwide – a serious flaw in Microsoft operating systems security trust systems. You might ask yourself if the words ‘security’ and ‘trust’ belong in the same sentence, let alone describing a core piece of the operating system software, so let me briefly elaborate.  

Operating systems need to have a reliable method of determining whether patches or applications came from a source that follows the coding requirements to ensure safe and secure operation within the environment – in short, can the company who is providing the patch or application code libraries be trusted and validated? While this may seem like minor or simple detail, realize that Microsoft itself cannot test every third-party application or piece of code, so the simple expedient of only allowing the installation of applications and patches from trusted vendors was adopted. Even Microsoft’s own applications, patches, and services which require operating system functions – for instance, logging in to the computer – have to meet the trust standard. This is accomplished using a cryptography module and therein lies the problem.  

On Jan. 14, 2020, Microsoft, the National Security Agency (‘NSA’), and the Computer Emergency Response Team (‘CERT’) all released high priority notifications of a ‘CVE’ or Common Vulnerability and Exposures issue regarding the issue with the cryptographic module[3]. While such notifications aren’t anything new, the fact that the NSA not only discovered the vulnerability, but alerted Microsoft and then publicly disclosed the vulnerability in a very short time frame. In the past, this has not been the policy or practice of the NSA; as such, this openly public posture for a secretive agency only underscores how serious the problem really is. 

What happened: On January 13, Brian Krebs, a well-known and highly respected security researcher, broke the story of the reported vulnerability and upcoming patch to be included in the first Microsoft Patch Tuesday of the year[4]. There were rumblings in the security community that the patch was going to be important. So important, in fact, that NSA Director of Cybersecurity, Anne Neuberger, slated a call to release the information to the media, an unusual move for the NSA. On January 14, Ms. Neuberger divulged the vulnerability had been found by the NSA staff during normal research and consequently reported it to Microsoft. It was also noted that Microsoft has not yet seen any active exploitation of the vulnerability. 

In this case, the vulnerability has the potential to create extensive damage to systems. The issue is that module itself is responsible for verifying the ‘chain of trust’ for software and services all the way back to an authoritative source which can validate the identity of the creator. The vulnerability would allow false information to be inserted, causing a ‘chain of trust’ to appear legitimate when it is not. Essentially, a cybercriminal could spoof the operating system into believing malware is trusted and safe to use. This would create situations where any such malware could persist in the system for long periods of time virtually undetected, pilfer information without creating error messages, make changes to protected system files, and become very difficult to trace and remove. 

How it happened: It may seem that this is an egregious oversight on the part of Microsoft; however, it is estimated the Windows operating system contains over 50 million lines of programming code. Even with fairly rigorous testing prior to deployment, it is impossible to test every possible use case or combination of systems, applications, or scenarios. 

Therefore, more stringent testing guidelines should be adopted. When I was in development (many, many years ago), one of the common tests for your programming was to feed purposefully bad data into the system to make certain that your logic tests would reject it properly and safely, without allowing the program to crash or otherwise perform dangerous operations. Since Windows is the most widely adopted platform on Earth, deployed to an estimated 95.86% of all computing devices in the world (as of December 2018[5]), it behooves both Microsoft and application developers to be more aggressive in secure development practices. I am oversimplifying, but the argument is valid, especially in light of such a fundamental flaw in core system module. 

At the same time, I want to praise the NSA for their approach to reporting this vulnerability. In the past, the NSA, one of the few agencies with sufficient skill and resources to uncover these types of issues, has been less than forthcoming and has even used unpublished vulnerabilities as tools (such as Eternal Blue, which in turn lead to WannaCry and NotPetya, once cybercriminals got their hands on the Eternal Blue code[6].) In my opinion, this new strategy, under the leadership of Ms. Neuberger and her worthy colleagues, will help close cybersecurity gaps more rapidly. 

What you can do to protect your company: There are a couple lessons you can apply to protect your business: 

  1. Patch, patch, patch. It can’t be said enough that all computing devices and applications require periodic updates and patches. Turning on Windows update is not sufficient; all patches need to be vetted and applied carefully to workstations, laptops, and servers, not to mention switches, firewalls, access points, mobile phones…you get the picture. Networks Plus offers a patching service which covers all Windows patches and many of the standard business application patches. Part of the service is to test and vet patches prior to deployment. Contact your Networks Plus business consultant for more information. 
  2. Set internal security policies to prevent end users from installing any application and require applications be tested and approved prior to installation. While this may seem unnecessary, realize most end users have very little understanding of what an application may do to an operating system or network. Allowing end users to install that ‘weather’ app or background theme may lead to some very undesirable consequences. 
  3. Education. Make sure to stay informed on potential threats. Training the entire company, including yourself, on security threats is no longer a luxury – it is a necessity in today’s always-on, always-connected world.  

UPDATE – 01/17/20: To emphasize just how serious this problem is read more here.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business. 

[1] For more detail on the Five “P’s”, read the first Breach blog

[2] For more information, here is my blog

[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

[4] https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

[5] Usage Share of Operating Systems 

[6] https://en.wikipedia.org/wiki/EternalBlue