Robin’s Newsletter #277

8 October 2023. Volume 6, Issue 41
CISA publishes list of top 10 security misconfigurations. Red Cross sets out hacktivism rules of engagement. MGM Resorts says cyberattack will cost $100 million.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

NSA, CSIA Top 10 misconfigurations

  • The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory (PDF) highlighting the most common cyber security misconfigurations exploited by attackers:
  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multi-factor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution
  • CISA says these illustrate “a trend of systemic weaknesses in many large organisations” and encouraged “properly trained, staffed, and funded network security teams” to mitigate these weaknesses.
  • The advisory calls for software manufacturers to reduce the prevalence of these misconfigurations in their products, particularly by eliminating default passwords, providing high-quality audit logs to customers “at no extra charge,” and mandating multi-factor authentication.

The Red Cross proposed rules of engagement for hacktivists

  • The International Committee of the Red Cross (ICRC) has set out twelve rules of engagement concerning hacktivist involvement in cyber warfare. It follows a “worrying trend” in increasing civilian involvement in conflicts, such as by groups like the IT Army of Ukraine.
  • Eight of the rules apply to hacktivists and aim to minimise the potential for overspill that could affect civilians or have an impact on humanitarian responses:
  1. Do not direct cyberattacks against civilian objects
  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
  3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians
  4. Do not conduct any cyber operation against medical and humanitarian facilities
  5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces
  6. Do not make threats of violence to spread terror among the civilian population
  7. Do not incite violations of international humanitarian law
  8. Comply with these rules even if the enemy does not
  • The remaining four rules are aimed at dissuading nation-states from encouraging hacktivist action:
  1. If civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law
  2. States must not encourage civilians or groups to act in violation of international humanitarian law
  3. States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory
  4. States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations

Interesting stats

70% of organisations encountering human-operated ransomware had fewer than 500 employees, with 80-90% of successful ransomware compromises originate through unmanaged devices and 13% of attacks that reached the ransom phase, including some form of data exfiltration, amongst the many cybercrime stats in Microsoft’s Digital Defence Report 2023.

$20 million offered by a Russian zero-day broker for a chain of bugs in WhatsApp to compromise iOS and Android devices.

Other newsy bits / in brief

And finally


  Robin's Newsletter - Volume 6

  “National Security Agency (NSA)" Cybersecurity and Infrastructure Security Agency (CISA) Misconfiguration International Committee of the Red Cross (ICRC) Red Cross Cyber norms Hacktivist Hacktivism Cyber warfare North Atlantic Treaty Organisation (NATO) Lyca Mobile MGM Resorts Blackbaud Qakbot Operationa Duck Hunt IronNet Elliptic Curve Cryptography (ECC)