From the cyber policy front —
Cybersecurity Dive reports
Cybersecurity and Infrastructure Security Agency Director Jen Easterly praised the efforts of the Joint Cyber Defense Collaborative (JCDC) following its one-year anniversary, saying in a blog post the public-private partnership has helped limit cyber risk at scale.
JCDC helped federal agencies and private sector partners mitigate some major cybersecurity threats, Easterly said, including the Log4Shell crisis from December 2021; the development of the Shields Up campaign related to the Russia invasion of Ukraine; and the Daxin malware discovery from February.
JCDC recently expanded to include industrial control partners. The change comes at a time when sophisticated malware threatens major critical infrastructure targets in the U.S. JCDC is also working to protect the nation’s election infrastructure from nation-state threats ahead of the November midterm elections.
U.S. executives now consider cyberattacks the No. 1 risk companies are confronting, according to a PwC Pulse survey released Thursday. The study shows 40% of top business executives consider cyberattack risk their top concern, followed by talent acquisition at 38%.
Cybersecurity concerns have moved well beyond the office of the CISO or cyber risk officer, as the entire C-suite and corporate boards are focused on the risks of cyberattack.
Almost half of all corporate executives said they are making additional investments in cybersecurity, while slightly more than half of executives said they are increasing investments in digital transformation.
Health IT Security adds
US Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), both co-chairs of the Cyberspace Solarium Commission (CSC), wrote a letter to HHS Secretary Xavier Becerra asking about the current status of HHS’ healthcare cybersecurity efforts.
King and Gallagher, who also authored the Sector Risk Management Agency (SRMA) legislation, urged HHS and the Biden administration to bolster cybersecurity efforts and called on HHS to hold an urgent briefing on the administration’s current cybersecurity posture and plans for improvement.
From the cyber vulnerabilities front —
The Wall Street Journal reports
All companies should be using two-factor authentication at least to secure their systems, but relying on text messages alone is foolish, cybersecurity experts say.
The process, known as 2FA, adds another level of protection to systems by requiring users to verify their identity through more than just a password. Often, this takes the form of a verification code sent by text message—or SMS—or voice calls, but experts warn that these systems are becoming increasingly out of date.
“SMS was never designed to be a 2FA method,” said Jamie Boote, associate principal consultant at cybersecurity company Synopsys Software Integrity Group. “Originally, it was a maintenance communication channel between cell towers and phones. It only became a consumer-centric communications channel after users discovered they could send text messages to one another.”
The widespread use of SMS as a security mechanism has also increased hackers’ focus on compromising the technology, Mr. Boote said. Hackers also use SMS as an avenue to launch other attacks, he said. Common methods include phishing attacks by text message, known as smishing, and SIM-swapping, in which a cellphone is cloned, meaning attackers can read messages sent to a device. * * *
Mobile security specialists say the best forms of protection for 2FA are security tokens such as those developed by the Fast Identity Online Alliance, or FIDO, a consortium including Apple Inc., MicrosoftCorp. and Alphabet Inc.’s Google that is creating open security standards. The general lack of security in mobile phones means they are often easy targets for hackers without the added protection that more advanced security technologies such as those developed by FIDO provide, said Hank Schless, senior manager of security solutions at cyber company Lookout Inc.
ZDNet adds
Using [Multi factor authorization] MFA protects against the vast majority of attempted account takeovers, but recently there’s been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organizations have been targeted in this way during the last year.
One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they’re trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit – in this case to steal email. The user simply thinks they have logged into their account as usual.
“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” as Microsoft notes of that particular campaign. * * *
While it isn’t totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cybercriminals get smarter they’re increasingly going to go after it – and that requires extra levels of defense, particularly from those responsible for securing networks.
“It’s good it’s recommended because you won’t be the lower hanging fruit. But you definitely need to augment it with additional layers of security because, just like any other siloed security solution, it can be circumvented and you can’t think everything is secure, just because of one security layer,” says Etay Maor, senior director of security strategy at Cato Networks.
There’s been a big rise in cybercriminals combining fraudulent emails and telephone calls to trick victims into disclosing sensitive information like passwords and bank details.
Known as vishing attacks, criminals and scammers telephone victims and attempt to use social engineering to trick them into giving up personal data.
Researchers warn that vishing and other email-based phishing attacks will continue to be a problem – but there are steps with organisations can take to help prevent attacks.
“Capabilities to automatically detect and remove threats from all infected employee inboxes before users can interact with them also plays a critical role, as well as a proper security training regimen, to prepare users to be on the lookout for such threats,” said John Wilson, the senior fellow responsible for threat research at Agari.
The Health Sector Cybersecurity Coordination Center (HC3) issued an analysts note on vishing this week.
This week
- CISA “and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform.
- CISA also added seven known exploited vulnerabilities to its catalog.
- HC3 issued a Sector Alert on Apple fixes to two Zero Day Exploits.
- HC3 also released its vulnerability bulletin concerning “July Vulnerabilities of Interest to the Health Sector.”
HC3 posted a PowerPoint presentation on the impact of social engineering on healthcare.
From the ransomware front, here is a link to the latest Bleeping Computer’s Week in Ransomware.
From the Cyber defenses front —
Cybersecurity Dive reports
A fundamental shift in information security practices is underway, as 55% of organizations now have a zero trust initiative in place, more than double the 24% totals from a year ago, according to the State of Zero Trust report from Okta released Tuesday.
The report shows almost universal adoption of zero-trust principles, as 97% of businesses either have a zero trust initiative in place or will adopt one in the next 12-18 months.
“Today we’ve seen that zero trust is no longer a theoretical idea — it’s an active initiative that almost every organization across [every] industry is implementing,” Christopher Niggel, regional chief security officer for the Americas at Okta, said via email.
Security Week offers expert opinions on prevention being the future of cybersecurity and the future of endpoint management.