Applications are now open for our next cohort of the CyberCX Academy

CyberCX Security Report | November 2020

,

There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?

At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.

Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.

Research highlights HTTPS and JavaScript security limitations

Read the full story

Whilst HTTPS is now widely adopted by most web applications, it would be wrong to assume that HTTPS alone indicates a sufficient level of security.

In a three-year audit by the Optus Macquarie Cyber Security Hub, researchers analysed 1,862 Australian federal and state/territory government websites. Whilst 84% of the surveyed websites had HTTPS implemented, 3.9% of federal government sites and 7.4% of state/territory sites were still deemed to be insecure due to weaknesses in cryptographic mechanisms (e.g., use of weak or sub-optimal ciphers), support of vulnerable protocols (e.g., SSL3), and “untrusted” certificates not allowing for correct server-identity validation.

All these can potentially place client information at risk of being intercepted and obtained by a malicious agent despite the use of HTTPS.

This serves as an important reminder, that just because you have HTTPS implemented on your web applications, you still need to take measures to ensure you’re using appropriate encryption that is securely configured. Deployed cryptographic methods should be regularly reviewed.

Web developers routinely rely on third-party JavaScript libraries such as jQuery to enhance the functionality of their sites. However, if not properly maintained, such dependencies can allow a site to be compromised.

For example, by embedding an old version of JQueryUI library, almost 10% of Australian government websites are exposed to a high-severity Cross-Site Scripting (XSS) vulnerability, which could be exploited by attackers to inject malicious code in the webpage.¹

One way to help ensure your web applications don’t contain insecure source-code obtained from third-party libraries is through conducting periodic Secure Code Reviews, particularly when upgrading or releasing any new functionality.
(1) https://www.mq.edu.au/__data/assets/pdf_file/0007/1074913/Vulnerabilities_in_Australian_Government_Websites.pdf

Insecure Third-Party Opens Way for Hackers

Read the full story

A recent report by CoreView found approximately 78% of Microsoft Office 365 administrators do not have Multi-Factor Authentication (MFA) activated.

This represents a significant security risk. MFA is one of the most important security initiatives an organisation can implement in order to reduce the threat of a range of cyber-attacks including email-based phishing or spear phishing attacks, automated credential stuffing, or guessing attacks.

The report also found that 36% of administrators are Global Admins, meaning they have unrestricted access throughout the organisation’s Office 365 environment. If an administrator with Global Admin rights is subjected to a cyber-attack, the organisation is at risk of suffering significant damage and data compromise.

When it comes to limiting the threat of some of the most common attacks, make sure your organisation has MFA implemented. Requiring a password and at least one other form of verification, you’ll be able to reduce the likelihood of most hacking attempts.

When implementing MFA, it is advisable to select a combination of different verification types:

Something the individual knows
(e.g. password or PIN)
Something the individual has
(e.g. a token or smartcard)
Something the individual is
(e.g. a fingerprint or iris scan)

Password-less IoT devices leave industries vulnerable

Read the full story

As Internet of Things (IoT) devices become increasingly commonplace in commercial and industrial settings, safeguarding their security has never been more urgent.

Mottech Water Management develops smart irrigation systems for use in agricultural or parkland settings. It connects sensors to the internet which enable real-time monitoring and distribution of water and fertiliser to different valves across the system.

Researches recently discovered more than 100 Mottech Water Management systems across the globe that were installed without changing the factory’s default, password-less setting.

This glaring oversight left the systems vulnerable to malicious attack, possibly resulting in an attacker being able to flood fields or over-deliver fertiliser and destroy large quantities of crops.

In September 2020, the Australian Government released a new voluntary Code of Practice for IoT manufacturers. The first of 13 principles relates to passwords:

No duplicated default or weak passwords

Examples of good implementation

  • The device has a unique, unpredictable, complex and unfeasible to guess password for setup and access. Where this isn’t possible, the device prompts users to set/change the password at first use.
  • The default password is not publicly known or published.
  • Where the user is prompted to set a password for the device or associated online account, the user is required to choose a password of at least the minimum length and complexity as articulated in the Australian Government Information Security Manual.
  • All online accounts associated with a device use WebAuthn or multi-factor authentication.
  • The Wi-Fi access point hosted by the device, and used for setup, requires the user to authenticate.

Examples of bad implementation

  • The device has a weak default password that is unable to be changed.
  • The device discloses its account password by simply interacting with it, without authenticating first.

Whether you are an IoT manufacturer, or you have IoT in your organisation’s environment, it is absolutely essential to ensure the devices are properly secured with strong passwords.


Keep on top of patching to stop “Bad Neighbour” vulnerability

Read the full story

When Microsoft issued 87 patches as part of its October ‘Patch Tuesday’ release, one vulnerability stood out as particularly malicious.

Dubbed “Bad Neighbour” by McAfee, CVE-2020-16898 is a bug that impacts Windows 10 and Windows Server 2019 systems.

The vulnerability could allow an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The extremely simple and reliable bug could have widespread and highly impactful consequences due to its wormable nature.

The vulnerability is likely to have the greatest impact on Windows 10 consumers. Patching Windows systems will significantly minimise the threat surface. The number of impacted Windows Server 2019 machines should be limited as most servers are behind firewalls or hosted by Cloud Service Providers (CSPs).

It’s essential to make sure you patch against this vulnerability. Updates are available here.

Additionally, Microsoft advises that a workaround is possible that will help protect you before you’re able to patch. You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the following PowerShell command. This workaround is only available for Windows 1709 and above. See What’s new in Windows Server 1709 for more information.

It is important to make sure your organisation has a well-developed Vulnerability Management plan in place. This is the best way to ensure you keep up to date with the broad range of updates that are released on a regular basis by many vendors.

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.