On January 11, 2022, Microsoft released Windows 10 KB5009543 and Windows 11 KB5009566 as a part of their January 2022 roll-up. After applying the patches, administrators found that L2TP connections from remote Windows computers using the L2TP client would fail on connection.

At the time of this writing, Microsoft hasn’t pulled the roll-up and hasn’t issued a hotfix, suggesting instead that the IPSEC server be modified to disable the VendorID field in negotiation.

As this isn’t an option for most firewalls and would require vendors to post firmware updates for tens of thousands of product SKU’s, this effectively turned this problem into a pissing match between hardware vendors and Microsoft. Hardware vendors claim this is a Microsoft issue and advise customers to reverse the patch; Microsoft claims their implementation of the IPSEC client is correct. Meanwhile, VPN’s for millions of people working from home don’t work.

Reversing the patch may not be a suitable option when dealing with classified networks; as a system administrator, I’ve an obligation to apply Microsoft’s roll-ups to protect my clients’ data and network. Doing so may not only jeopardize IT assets that I’m responsible for but may just invalidate cyberinsurance policies because I did the exact opposite that I was supposed to do: I sacrificed a bunch of security patches in favor of one working feature; a feature that would break again unless I disabled patching on a remote machine, only exacerbating the problem over time.

The real fix for this, then, is for Microsoft to either pull the patch or issue a hotfix. Since Microsoft is (again) not stepping up to address messes that it makes, there’s a good work-around.

1. On a machine that doesn’t have the KB updates mentioned above (or reverse the KB on the affected machine), find the file c:\windows\system32\ikeext.dll. It’ll be dated 2021.

2. Copy this file out to where you have a copy of it.

3. Apply the Jan 2022 patches and reboot.

4. You’ll now find a 2022 version of ikeext.dll in the c:\windows\system32 folder.

5. Take control of that file by changing its ownership to a local administrator (perhaps the user account you’re using), and change your permissions to Full Control.

6. Using Task Manager, under the Services Tab, find ikeet.dll and stop it.

7. Rename c:\windows\system32\ikeext.dll to *.old, providing administrator elevation to do so.

8. Copy in your 2021 version of ikeext.dll to the same path.

9. Restart the ikeet.dll under the Services Tab or reboot the machine.

You’ll find that your L2TP VPN will now work, keeping the Jan 2022 patches and isolating the roll-back to just one DLL.

R

** Update: Microsoft has now issued a out-of-band update KB5010793 to address this issue.

2021 offered an unprecedented number of challenges to small business information systems.

I wanted to take a few minutes to talk about the overall strategies that I’ll be using to protect my clients in the coming year.

Defense in Depth

There’s no such thing as a magic pill. Not one product, not one solution, not one strategy that can safeguard IT assets 100% of the time; anyone who tries to convince you otherwise is trying to sell one. And if you believe that sales pitch, you’re already falling into a trap of the mind; you’re already making too many assumptions and assumptions won’t keep you safe.

Instead, it is more rational to perceive risk in terms of layers of control.

Here are some examples:

• one layer controls the physical access to a network;

• another controls the wireless access to a network;

• another controls the remote access to a network;

• another layer authenticates who you are to that network;

• another defines what software you do or do not have access to.

Five layers, five controls.

Over time, we can measure and test our controls to prove that they work, and we can say - with some degree of certainty - that our systems are secure.

Security, after all, is just a feeling: it is the confidence that we have in our safeguards. If you’re not already managing your IT in layers, how can you have any confidence that your systems are secure? Well, you can’t - you’re just making assumptions - and assumptions do not equal confidence.

Cloud Computing

Most small businesses do not have computer and network expertise on-staff. And aside from the talent problem, managing IT assets and information systems is extraordinarily risky and costly. So unless computer expertise is a core-competency, why do it?

It is far better for small businesses to outsource that risk and push it onto the backs of vendors who can operate at a better economy of scale and can manage IT better than them.

Somebody like Google can manage your email more cost-effectively than you can, and they have an army of professionals safeguarding your data. So why not let Google handle your email instead of running your own email server? The same could be said for applications, files, phone calls, databases, and device management.

In doing so, small businesses transform IT into an always-on utility - a system like electricity and water - allowing for the most reliable, cost-effective access, using any device, anywhere.

You don’t keep an electrician on-hand to deal with electrical problems, right? And you don’t keep a plumber on your payroll to handle the plumbing problems and run more water into your building. The same should be for your IT. Outsource the risk; transform IT into a utility.

In 2022, I’ll continue to push my small business clients to abandon running their own on-prem servers and devices, and to leverage cloud computing to the greatest extent possible.

Identity and Access Control

One of the biggest challenges we have in IT today is this concept around stealing somebody’s identity to gain access to a confidential system. This is primarily done with phishing attacks. A bad actor sends your team an email that looks legitimate. They click on a link and are brought to a website that looks and feels legitimate, but is really set up by the bad guys to capture their username and password to a secure system.

It’s a huge problem and employee training isn’t enough. The bad guys get more sophisticated every day. We need technical controls that adapt - using machine learning (ML) and artificial intelligence (AI) - to spot the phishing attack and prevent the user from evening seeing it. Google’s Gmail uses these tools to constantly screen attacks from aggressors intending to steal ident information from your employees.

Combined with good password management policies, multi-factor authentication, and admin alerts controlling end-user access, adaptive ML/AI promises to reduce these effects significantly. In 2022, in my role as a Google Partner, I’ll be continuing to help my clients get the greatest benefit from their cloud platform investment by securing their identity.

Endpoint and Mobile Device Management

Another vector of attack against your systems is through exploiting the human propensity to procrastinate and ignore risk.

A good example are computer security updates. Many users will deliberately tell their computers to not apply updates, or, won’t restart their machines after receiving updates. This prevents the system from receiving necessary software updates to help protect them, and over time, the lack of patches creates huge holes that aggressors can drive a truck through.

Endpoint Management (EPM) uses software to regulate the compliance of managed computers so that they’re always receiving their security patches. EPM also takes care of things like viruses, malware, and intrusion detection. It provides a set of tools to remotely manage assets to bring them back into compliance and safe to use.

Mobile Device Management (MDM) uses similar controls to verify that the devices approved to remotely (like mobile phones, tablets, and laptops) access company information are controlled.

Used in conjunction with each other, MDM and EPM alert administrators to take action if a machine continuously falls outside of the range of acceptable patching, suffers from malware or an attack, prevents unauthorized, lost, or stolen devices from accessing secure information, and provides dashboard-level pictures of the overall security posture of a company. It’s the best, most cost-effective way to prevent loss … rather than reacting to loss.

In 2022, I’ll be attempting to convince most of my clients to join my endpoint management program and implement MDM to best control their systems.

Managed Browsers

Increasingly, phishing attacks come not just from email but from what are referred to as browser hijacks. Websites and software will redirect the user’s browsing activities to websites that attempt to steal ident credentials or Personal Private Information (PPI). Hijacks threaten not only the user but any confidential information that may exist on their computers.

These risks demand that an IT control be extended to Internet browsers. Managed browsers are browsers that exist on any device anywhere but they receive a central set of policies. These policies dictate how the browser can be used, when it can be used, what sites and software are okay to use - and which ones aren’t - and prevents the user from accessing known-bad websites that could harm them.

In my role as a Google Partner, in 2022, I’m going to help a majority of my clients by deploying managed browsing policies governed by their Google Workspace investment to help keep their teams safe while using the Internet.

Perimeter Control

There are logical software components to every network. These components control the logical flow of information. You’re probably familiar with these devices by their names of routers, switches, bridges, and gateways. Most are simple computing appliances without a high degree of security built-in to them.

These devices do their work day in and day out and most of the time, you don’t have to even think about them. However, over time, their firmware needs to be updated; for the same reason we patch computers, we must also patch these devices. Aggressors realize that this equipment often goes unnoticed and unsecured because it’s not something most people are thinking about.

Well, I’m thinking about it. In 2022, I’ll be helping my clients identify their network’s perimeter infrastructure, either patching or replacing suspect equipment, and implementing tighter security controls over them.

Training

All the ML/AI in the world can’t beat human instinct or well-trained human behaviors. Technical controls to help secure the workplace are great but real security - real confidence - begins and ends with training people.

Your team must be brought up to speed about the most recent threats and concerns, and given tools to help them navigate the risk.

Sometimes, the best training simply interrupts an emotional response to a problem … to get somebody to just question clicking on a link so they can ask for more advice is an interrupt that a hacker can never thwart. The most skilled hacker can rarely beat an attentive, trained human! They’re counting on the human to not be paying attention, to not be trained.

Therefore, technical controls aren’t enough. This next year, I’ll be pushing training to help teach and inspire others to take these threats seriously. Further, responding to these problems by dealing with them in-depth, through implementing layers of controls, through shifting more and more risk to cloud providers, by implementing strong controls over identity and Internet browsing, and through inspecting the perimeters of our networks, will help instill a stronger sense of security for my clients next year.

R

Zyxel recently announced a security issue concerning its USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware.

An aggressor capable of accessing the admin login from WAN can insert a new routing policy and new backdoor admin users. A full write-up and remediation process can be found here.

Currently, there’s no fix.

In the meantime, here’s how to disable admin access to console from WAN.

WARNING:

Once you take this step, you’ll have to access the web console from LAN so you’ll need to be behind the firewall to address it until you re-enable HTTPS on the WAN Service Group. You’ll want to do this on the LAN using a local machine, or, through using a VPN connection behind the firewall.

1. Login to the Zyxel as Admin.

2. Go to Configuration > Object > Service.

3. Select the Service Groups Tab.

4. Find the Default Allow WAN to Zywall Policy.

If HTTPS is in the Member Service Group, select HTTPS and remove it.

Strike the OK button and the configuration will be saved.

Your Zywall is now protected from the attack.

Recommendations from Here

1. Walk through the remediation article I cited above to see if your Zyxel product was affected by the attack.
   

2. Take the necessary remediation steps or prove that your device wasn’t affected.
   

3. Update your device’s firmware.

My Advice: Don’t trust the Cloud Update procedure inside of the device.

I find the Cloud Update in the GUI misreports highest firmware versions.

Confirm the actual version for your product by logging in to portal.myzyxel.com, accessing My Devices, and attempt to download the latest firmware. Compare version numbers for the active and standby partition.

If you need to update, upload the firmware manually to the standby partition with the option not to reboot when prompted.

The Zyxel should start the upload process (be patient, it’ll take a while) and it shouldn’t reboot on you (I’ve had several USG40’s that rebooted regardless).

If the device doesn’t auto-reboot, afterwards on your own schedule, reboot the device.

It’ll take the newer firmware in the standby partition as active, putting you on the latest release.

As of this time/date, Zyxel doesn’t have a fix yet but you’d want to repeat this procedure to manually update the fix firmware once it’s released. You should then be able to re-add HTTPS to the WAN Service Group.

R