Cybersecurity Saturday - Ermer and Suter PLLC

From Capitol Hill, Cyberscoop reports

The Senate passed legislation (S. 3600) Tuesday evening requiring critical infrastructure owners to report to the feds when they suffer a major cyberattack or make a ransomware payment — shaking loose a bill that got stuck in the chamber last year.
Under the measure, which now moves to the House for potential consideration, those critical infrastructure owners and operators as well as federal agencies would have to disclose a significant incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The same owners and operators would have to report any ransomware payments to CISA, too, only within 24 hours.
Its intent is to give CISA the information it needs to more widely share threat data to help curtail major cyberattacks rippling through key targets, such as what happened in late 2020 when federal contractor SolarWinds suffered a compromise that ended up spreading to federal agencies and major tech companies.
The bill also contains other provisions designed to strengthen federal agencies’ digital defenses. The package got sidelined at the end of 2021 when lawmakers couldn’t resolve a dispute in time over whom the ransomware requirements should apply to, leaving it out of an annual defense policy bill that Congress has enacted for 61 straight years.

The Senate, which passed the bill by unanimous consent, sent S. 3600 over to the House of Representatives for its consideration.

From the Ukrainian war front —

CISA continues to update its Shields Up website.

The HHS Cybersecurity Program issued an Analysts Note on “The Russia-Ukraine Cyber Conflict and Potential Threats to the US Health Sector.:

Cybersecurity Dive informs us

With the risk of cyberattacks on the rise due to the war in Ukraine, experts say HR teams should be increasingly vigilant for threats that will disrupt operations.
Beyond phishing trainings and ransomware education, HR may feel divorced from cybersecurity concerns. In the event of an outage or attack, however, people operations managers will be the ones to put their companies back on track, serving as a key liaison between the IT department and company staff at large, so preparation is key.
“HR has historically been responsible for communicating policies and work expectations even if they aren’t produced through a written policy. That’s really what’s necessary for cybersecurity to be effective,” Elizabeth Chilcoat, an associate at Sherman & Howard, said.
It’s HR’s job to break down post-attack protocol into layman’s terms, both to keep the peace internally and for compliance reasons, she said.

The American Hospital Association offers a podcast and other resources concerning “Russia, Ukraine and Cybersecurity in U.S. Health Care Sector.”

More generally, on Thursday, the HHS Cybersecurity Program posted a PowerPoint on “Health SeZdctor Cybersecurity: 2021 Retrospective and 2022 Look Ahead,” and Bleeping Computer’s The Week in Ransomware” is back.

This week’s biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.

From the cyberdefense front

ZdNet reports “The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more. “CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said.”

CNBC reports on why companies are moving to the zero trust model of cybersecurity.

ISACA describes a five layer view of data center systems security.

Health IT Security tells us

Proper employee cyber hygiene is crucial to maintaining healthcare cybersecurity, a new report conducted by the Center for Generational Kinetics (CGK) and commissioned by Mobile Mentor suggested.
A survey of 1,500 employees across four highly regulated industries—finance, education, government, and healthcare— found that poor password hygiene and new employee onboarding left organizations vulnerable to cyber risks.
More than a third of respondents admitted to finding ways to work around their organization’s security policies, and 72 percent of respondents reported valuing their personal privacy over company security.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog