Cybersecurity Saturday

From the cybersecurity policy front —

Cybersecurity Dive reports

The Cybersecurity and Infrastructure Security Agency released its long-awaited, cross sector cybersecurity performance goals Thursday, in a bid to raise the security baselines. Far from esoteric, the efforts listed are meant to serve as a broadly-digestible roadmap to minimum operational security.

The 37 voluntary goals span the technical and the tactical, weighing the cost, complexity and impact of security initiatives. But they are not exhaustive and do not capture all that is required to protect critical infrastructure security. 

The goals “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” CISA said.

CISA placed a premium on low cost, high impact security efforts, which accounts for more than 40% of the goals. 

and

“CISA Director Jen Easterly, in a Thursday media call, said the guidelines would be particularly helpful for local organizations that may operate in the supply chains of larger companies or target rich, resource poor providers like hospitals, K-12 school districts or local water utilities.”

Cyberscoop adds

Danielle Jablanski, an OT cybersecurity strategist at cybersecurity firm Nozomi Networks, noted that the goals are “extremely accessible” and allows an organization to choose how to adopt the practices without a sort of formalized mandate.

“There’s a lot of things that are out of [asset owners] control and I think this document brings them in and focuses in on what is in their control what’s in their power and what’s in their capability to get done,” she said.

The CISA performance goals remind me of the flexibility built into the HIPAA Security Rule. Speaking of which, here’s the HHS Office for Civil Rights October Cybersecurity Newsletter, which discusses the HIPAA Security Rule’s Security Incident Procedures. Health IT Security discusses the newsletter’s recommendations.

From the cyber breach front —

U.S. News and World Reports lists the ten biggest breaches of 2022 so far.

Closer to home, Govexec reports on a federal employee’s unfortunate experience of having her Thrift Savings Account looted by a hacker.

From the cyber vulnerability front

Tech Republic tells us “In their new report, SonicWall explores some of the most dangerous trends that security professionals need to have on their radar.”

The Health Section Cybersecurity Coordination Center (HC3) issued its Monthly Cybersecurity Vulnerability Bulletin.

In September 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Cisco, Adobe, SAP, and VMWare. A vulnerability is given the classification as a zero- day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

HC3 also released a sector alert titled “Critical OpenSSL Vulnerability Will Require Action by Healthcare Organizations.”

A software library called OpenSSL – used with many of the most common operating systems and applications for secure communications – is going to receive an important update on Tuesday, November 1, 2022. OpenSSL is deployed across industries ubiquitously, including the health sector. HC3 highly recommends all public and private heatlh sector organizations identify all instances of OpenSSL in their infrastructure and prepare to test and deploy the patch as soon as it is released.

CISA updated its Known Exploited Vulnerabilities Catalog with six plus one new vulnerabilities this week.

From the ransomware front —

Cybersecurity Dive reports

Ransomware attack activity jumped 26% from August to September, hitting 202 victims and reaching a number of cases not observed since May, according to NCC Group’s Monthly Threat Pulse report. Last year still holds the lead for monthly highs.

The jump in ransomware was partly accelerated by a summer spree of attacks initiated by the LockBit ransomware group, which was responsible for more than half of all attacks tracked by NCC Group’s threat intelligence team in September. The prolific threat actor first appeared in September 2019 and is now on version 3.0 of its ransomware strain and payloads.

While month-to-month ransomware activity ebbs and flows, the sectors most heavily targeted and hit by attacks have held steady, according to NCC Group. The industrials sector — including construction, manufacturing, distribution and engineering products, among others — was the most-targeted industry in September with 57 incidents and accounting for more than one-quarter of attacks. Attacks on industrials doubled the next most-hit target, consumer cyclicals.

Tech Republic identifies the top ransomware groups of 2022.

Healthcare Dive uses the recent ransomware attack on Common Spirit Health to explain why cybersecurity needs to be an important consideration in merger and acquisitions due diligence work.

Here’s the latest Week in Ransomware from Bleeping Computer.

From the cyber defense front —

  • An expert writing in ISACA points out the top three mistakes IT security teams make.
  • CISA issued guidance on “Understanding and Responding to Distributed Denial-of-Service Attacks.”