On Tuesday February 23, the Senate Select Committee on Intelligence held a hearing on the SolarWinds hack. FCW and CyberScoop report on the hearing here and there. Per CyberScoop
More than two months after the hack became public, the wide-ranging Senate Select Committee on Intelligence hearing committee demonstrated that the U.S. government, the private sector and digital incident responders still are wrestling with the ramifications of an suspected Russian espionage campaign that leveraged the federal contractor SolarWinds.
A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.
“It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here,” said Senate Intelligence Chairman Mark Warner, D-Va.
The House Oversight and Reform Committee held its own SolarWinds hack hearing yesterday. “The hearing examine[d] the role of the private sector in preventing, investigating, and remediating these attacks, as well as the need for Congress and the Executive Branch to implement a strategy to strengthen cybersecurity across federal government networks and improve information-sharing with the private sector.”
In other SolarWinds hack related news, CyberScoop reports that
Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.
Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog.
By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”
- CyberScoops reports that on Wednesday February 24, “President Joe Biden signed an executive order on Wednesday directing federal agencies to conduct a review of supply chain security risks in industries including information technology. * * * Specifically, the order directs reports within one year from the the secretaries of Agriculture, Defense, Energy, Health and Human Services and Transportation — along with a joint Commerce/Homeland Security report — that include an assessment of cyber risks within key industry sectors that could disrupt the U.S. supply chain.”
In other cybersecurity related news —
- Bleeping Computer discusses at reasonable length the Zero Trust security model that the FEHBlog referenced in a recent post. “The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more efficient way for enterprises to defend against today’s increasingly sophisticated threats. The concept has been around for a while and centers on the assumption that an intruder may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary. Cybersecurity companies have pushed the zero-trust network model for years, as a transition from the traditional security design that considered only external threats.”
- Bitglass, a cloud security vendor, released its seventh annual healthcare data breach report.
Key Findings [from the company’s announcement]
- The average cost per breached record increased from $429 in 2019 to $499 in 2020. With 26.4 million records exposed in 2020, data breaches cost healthcare organizations $13.2 billion.
- Outside of hacking and IT incidents, the remaining breach categories exposed the personal details of about 2.3 million people, exposing victims to identity theft, phishing, and other forms of cyberattacks.
- This year, breach numbers were up across the board, with 37 out of 50 U.S. states suffering more breaches than they did in 2019. California had the most healthcare breaches in 2020 with 49 incidents–surpassing last year’s leader, Texas, which suffered 43 breaches in 2020.
- In 2020, the average healthcare firm took about 236 days to recover from a breach.
- The FEHBlog recently noticed that the Office of Personnel Management has posted its 4th Quarter 2020 report on the implementation of its FEHB Master Enrollment Index.