Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Really? That's Your Password?

A small study done by Outpost24 makes for scary reading, suggesting that web site administrators may be just as bad as ordinary users when it comes to advice about choosing passwords - especially changing default passwords after intial installation and configuration of software and systems. One of the first rules of system administration is to immediately change any vendor-preset default password, as these are widely known and make even brute force attacks increadibly easy.

In fact, legislation such as the UKs Product Security and Telecommunications Infrastructure Bill and California's Senate Bill 327, the default password law, will ban the use of default passwords, requiring developers to include a password-change step as part of any installation or setup process. But for the time being, default passwords live on - and administrators either do not change them, or change them to one of a few commonly-used variants.

According to the Outpost24 research, performed by mining the data in their Threat Compass threat intelligence backend database, the top 20 popular passwords associated with compromised accounts are:

1. admin
2. 123456
3. 12345678
4. 1234
5. Password
6. 123
7. 12345
8. admin123
9. 123456789
10. adminisp
11. demo
12. root
13. 123123
14. admin@123
15. 123456aA@
16. 01031974
17. Admin@123
18. 111111
19. admin1234
20. admin1

Oh, come on, people - it's like you're not even trying! Isn't anyone even using a password safe?

But while it's all very well to blame users, developers have to shoulder some of the blame here, too. For example, while I've recently railed against password complexity rules, it's obvious that many systems are not even enforcing an adequate minimum passphrase length, let alone requirements for multiple character types (and the even worse prohibition on repeated characters). And even when systems do enforce such requirements, administrators are complying in a very few predictable ways that barely increase the search space for attackers.

Developers should be incorporating stronger authentication mechanisms, ideally based on cryptographic techniques, with a view to abandoning passwords completely in due course. We've been doing this for command-line administration for decades now; in fact, the default for most IaaS cloud-based systems is to log in using an SSH private key, and the SSH authentication agent (e.g. PuTTY's Pageant) makes this extremely convenient by eliminating password prompts completely for the working day. For web access, FIDO2 authentication via passkeys is similarly easy, or even easier.

Remember, these passwords are from stolen credentials, which also suggests that complementary controls, such as multi-factor authentication, were also not implemented - or, perhaps, were easily circumvented by a man-in-the-middle or proxy attack. And of course, this list says nothing about credentials which were not stolen, so we know that not all admins are this bad. But all the same, we can see how easy it is for even script kiddies to compromise some systems.

Outpost24, IT admins are just as culpable for weak password use, blog post, 17 October 2023. Available online at https://outpost24.com/blog/it-admins-weak-password-use/.

Multiple Agencies Update "Secure By Design" Principles

A large coalition of national cybersecurity agencies - rather than listing them all, it's easiest just to say that Russia, China, North Korea and Iran are not on the list - has updated the guidance issued earlier this year on principles and approaches for designing software which is secure by design. Citing the need to shift the balance of security risk - specifically, the impact of threats - from customers to developers and manufacturers, the guidance revolves around three fundamental principles for tech firms:

• Take ownership of customer security outcomes
• Embrace radical transparency and accountability
• Build organizational structure and leaderhip to achieve these goals - lead from the top

In order to achieve each of these objectives, the publication outlines a number of practices. For example, in support of that first principle, the practices include:

• Eliminate default passwords (surprise!)
• Conduct security-centric user field tests
• Reduce hardening guide size
• Actively discourage use of unsafe legacy features
• Implement attention grabbing alerts
• Create secure configuration templates
• Document conformance to a secure SDLC framework
• Document Cybersecurity Performance Goals (CPG) or equivalent conformance
• Vulnerability management
• Responsibly use open source software
• Provide secure defaults for developers
• Foster a software developer workforce that understands security
• Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration
• Align with Zero Trust Architecture (ZTA)
• Provide logging at no additional charge
• Eliminate hidden taxes (do not charge for security and privacy features or integrations)
• Embrace open standards
• Provide upgrade tooling

There's a lot more, for the other principles.

At only 36 pages, this guide is primarily aimed at senior managers - it is certainly much smaller than any of the many textbooks on correctness-by-construction and secure programming intended for architects and programmers. This is not to say that developers don't need to at least skim it - there are some useful ideas in there.

CISA et. al., Secure By Design - Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, technical report, 16 October 2023. Available online at https://www.cisa.gov/resources-tools/resources/secure-by-design.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.