From the cybersecurity policy front, Cyberscoop reports
An amendment that includes cyber protections to defend “systemically important” critical infrastructure — such as large energy utilities, telecom providers and major financial institutions — won adoption in the U.S. House of Representatives Thursday.
The legislation is an outgrowth of the work of the Cyberspace Solarium Commission, which originally recommended a model similar to that envisioned in the bill. It mandates that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) designate infrastructure needed for “national critical functions,” with operators at designated entities required to report to CISA the national cyber director on their management of cyber risk.
Designation will require organizations to disclose risk management strategies for critical assets and supply chains; share and receive threat intelligence with the government, and allow federal agencies to examine operations and assess performance-based security goals.
The amendment was made to the must-pass annual National Defense Authorization Act by voice vote. The Senate is working on its own version of the FY 2023 NDAA.
Cyberscoop adds, “The U.S. Chamber of Commerce criticized the amendment as written and sent a letter to all House members Wednesday, noting that many businesses’ “core policy goals” are not acknowledged, including legal liability protections and national preemption of state cybersecurity and protection laws.”
Health IT Security informs us
In its first-ever report, the Cyber Safety Review Board (CSRB) labeled Log4j (CVE-2021-44228) as an “endemic vulnerability” and said that vulnerable instances of Log4j could remain in systems for “a decade or longer.”
President Biden established the Cyber Safety Review Board in February 2022 as part of the administration’s executive order (EO 14028) on improving the nation’s cybersecurity. The Board is made up of 15 cybersecurity leaders from the federal government and the private sector and functions to review major cyber events and make suggestions for improving security in the private and public sectors.
For the report, CSRB reviewed instances of Log4j exploitation by engaging with approximately 80 organizations to gain an understanding of how organizations dealt with and are still dealing with Log4j.
Cybersecurity Dive explains
The [open source Log4j] vulnerability made it easy for threat actors to take control of compromised systems, and, since it was so difficult to spot without a comprehensive Log4j “customer list,” organizations struggled to identify and remediate it, according to the board.
What made the vulnerability particularly disruptive is that a third party disclosed the flaw before the Apache Software Foundation, which supports Log4j, could create a fix, the review board said. A race between threat actors and companies to exploit or fix the vulnerability ensued.
Log4j highlighted how the open source community, often composed of volunteers, has inherent risks stemming from resource constraints. In response, the board called for public and private sector stakeholders to create a hub of centralized resources to better support the open source community.
The board’s recommendations echo what the security industry has taken up as a battle cry in the last year: the software industry needs to change to create a better model of vulnerability management.
Nextgov adds
[The CSRB] has said all it plans to say on the incident referred to as “SolarWinds,” under an executive order mandate. That order came in response to the intrusion event’s compromise of several federal agencies and high-profile tech companies.
“We have fully complied with the executive order,” said Rob Silvers, undersecretary for policy at DHS. “The White House and the Department of Homeland Security together determined that when the board was launched, that at that point in time, the best use of the board’s expertise and resources was to examine the recent events involved in the Log4j vulnerability.”
Cybersecurity Dive reports
A decades-old ambition to foster a worldwide, open, secure and interoperable internet hasn’t materialized. In lieu of that, cyberspace is more fragmented, less free and more dangerous, the Council on Foreign Relations wrote this week in a report.
The U.S. is losing the cyberspace race because it remains too rigidly focused on achieving traditional American values, such as global openness, to the detriment of domestic privacy legislation, the report said. Adversaries have exploited this weakness with alarming precision and are now projecting power and exerting influence in the digital realm.
Meanwhile, federal authorities are still organizing efforts for a more cohesive and effective response by identifying roles and responsibilities in government, and strengthening collaboration between agencies and enterprises.
Many challenges remain unmet. National Cyber Director Chris Inglis, during a keynote at last month’s RSA Conference, estimated the U.S. is about four-fifths of the way there before it can effectively “crowdsource [transgressors] the way they’ve crowdsourced us.”
NIST announced activating its brand new SP 800-53 Public Comment Site. Learn more about the SP 800-53 Comment Site, and leverage the online User Guide for step-by-step instructions on how to participate in the public comment process, available under “View Candidates” and “Provide comments on candidates.” NIST 800-53 is the only NIST publication mentioned in the OPM standard FEHB contracts.
From the cyber vulnerabilities front —
- HHS’s Healthcare Cybersecurity Coordination Council (HC3) released its report on June 2022 vulnerabilities of interest to the healthcare sector.
- CISA added “one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”
- Cybersecurity Dive reports “U.S. companies are facing an enormous challenge in managing enterprise security, as almost half of all endpoint devices — including computers and other mobile devices — cannot be detected by IT departments or they are running on outdated operating system software, according to a study from Adaptiva and the Ponemon Institute released [last] Wednesday.”
- Cybersecurity Dive also tells us, “Brute-force attacks remain, overwhelmingly, the most common threat vector for cloud service providers, comprising 51% of all attacks in the first quarter of 2022, according to analysis from Google Cloud. Threat actors automatically scan for and compromise misconfigured cloud services, but the continued use of weak or default passwords poses the greatest risk, Google’s Cybersecurity Action team concluded in its latest Threat Horizons report.”
From the ransomware front — while The Week in Ransomware’s writer is evidently on summer vacation, Bleeping Computer does alert us
Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.
Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware.
However, over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue.
When the target calls the numbers, the threat actors use social engineering to convince users to install remote access software on their devices, providing initial access to corporate networks. This access is then used to compromise the entire Windows domain [by implementing ransomware code].
From the cybersecurity defense front —
- Cybersecurity Dive discusses the challenges facing mid sized employers. For example, “The rising cost of cyber insurance continues to be an issue for mid-sized companies. Research shows almost half of all the companies surveyed saw rate increases of 76% or more during the past year.”
- Speaking of which Cybersecurity Dive also reports, “The “vast majority” of cyber insurers plan to remain in the market over the next three years as the industry establishes an operations baseline to cope with very high claim volume, research from Panaseer released this week shows. * * * [T]o keep up with demand, cyber insurers acknowledge the need to rethink the underwriting process. Nine out of 10 respondents want to create a consistent, metric-based approach to measuring an organization’s cyber risk, the survey of 400 cyber insurance decision makers shows.”