The FBI recently released information that text messages between Apple and Android texting systems were insecure and that attackers could listen in and access those communications, more fallout from the revelation that a Chinese-affiliated threat actor had breached telecommunications companies.The announcement that the group known as Salt Typhoon had compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign showcased a certain disconnect regarding such electronic communications: As with email, we should never have considered them secure in the first place.Details were recently released in a white paper jointly authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Cyber Security Centre (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ).For many years, our telecommunications infrastructure was built with technology that required specialized knowledge or unique tools to trace communications. I am reminded of the classic tale of computer intrusion, that of Clifford Stoll and the story of “The Cuckoo’s Egg,” in which Stoll created a honeypot of fictitious information to keep an intruder online long enough for German authorities to trace the connection.Now, our communication infrastructure is integrated into internet technology and thus susceptible to being infiltrated through any number of possible intrusion points. While recent guidance provided by CISA and the NSA specifically concerns telecommunications infrastructure, because we use the internet for nearly everything these days, it’s wise to consider hardening your network with the same zeal for protection and hardening. I recommend reviewing the document and applying its general risk-reducing guidelines for traditional communication to all of your technology and across your entire network.Any change management to edge devices or communication hardware should be monitored and approved. Ensure that any firewall rules are approved and documented. And look beyond on-premise hardware to address any similar cloud networking changes.For example, when using Microsoft Entra, monitor the settings surrounding trusted networks and conditional access rules. Ensure that none of these settings are changed unless documented by members of your firm.Review ingress and egress to your network assets and determine whether you have access to the necessary logging to document access. Once again, don’t just look at access to your physical network, look at your cloud resources as well and ensure you have logging in place. In the case of cloud assets, this may mean you need to ensure you have the proper licensing in place to have the necessary logging.Ensure you have a “need-to-access” rule that only those administrators and workstations specified as administrative have access to sensitive devices and network locations. Set up egress filtering and access control lists to limit access to IP addresses, workstations, or network segments as you see fit. Invest in workstations that can receive restrictive policies such that they can be designated limited-access machines and trusted to remotely access sensitive devices on the edges of your network.Review all edge devices and ensure that they are up to date with firmware updates and patching, we often don’t have these devices under managed control and may not maintain their patching status. We should.
Make sure VPN and edge infrastructure isn’t vulnerable
Over the past year, ransomware has entered many a business from access points such as virtual private network (VPN) infrastructure, making it vital that that all assets connected to and using VPN are patched and installed on supported products.Ensure that modern cryptographic algorithms are in use and review their vendors for any past zero-day vulnerabilities and how long it took to patch them. You may want to place a priority on reviewing your edge access and how much it puts you at risk to give you the proper analysis of your risk from attack.Even if you don’t immediately patch for vulnerabilities, your endpoint detection often gives you enough protection to prevent operating system attacks. However, edge devices are frequently the first things targeted as attackers know that we often take much longer to patch access software due to the need to keep access required for day-to-day business purposes.It’s important to monitor your hardware and edge devices for any out-of-date or end-of-life announcements. We tend to pay attention to operating system end-of-life announcements due to the headlines and coverage provided by the vendors, for example, many of us are focused on the upcoming end-of-life of Windows 10 and the resulting extended security support software that Microsoft plans to sell next year. Don’t let the energy you put into that distract you from the other devices and apps that need maintenance.
The end of the year is a good time to ensure you’re prepared for new threats
Review your access technology and ensure that phishing-resistant multifactor authentication is used in your environment. In business settings, ensure you use hardware-based multifactor authentication, such as PKI or FIDO.Attackers have used and targeted Cisco hardware and software in exploits in several attacks. Specifically, CISA recommends that you disable all services and technologies you are not explicitly using in your environment. In addition, it’s recommended to take additional actions to disable various Cisco services, such as the following:
- Disable Cisco’s Smart Install service.Disable guest shell access.Disable all non-encrypted web management capabilities.Ensure that web servers, if used, are set up with encrypted SSL connections.Only enable web management if required.Disable telnet and ensure it’s not enabled on any Virtual Teletype (VTY) lines.This is not the first, nor will it be the last, warning about threat groups supported by the People’s Republic of China targeting government and businesses. In February 2024, CISA released its advisory on Volt Typhoon and the APT’s ability to target and perform pre-compromise reconnaissance.As we close out the 2024 security year, I recommend you review its compromise discussion and your current infrastructure. Are you prepared to protect and defend yourself from such targeted attacks? Are you prepared to immediately patch for any edge device zero-day that may arise in 2025?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3627461/how-are-you-securing-your-communications-in-the-wake-of-the-volt-typhoon-revelations.html
