Cybersecurity Saturday

From the cybersecurity policy front, Cybersecurity Dive tells us

Virginia Democrat Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence, has released a white paper detailing a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry.

Cyber vulnerabilities increasingly threaten patient safety as well as leaving organizations exposed to data theft, the paper argues. “It has become readily apparent that the way that cybersecurity is treated by those in the healthcare sector needs to change.”

Assembled by Warner’s staff with input from cybersecurity and healthcare experts, the paper outlines the challenges facing care delivery organizations and offers proposals aimed at strengthening providers’ cybersecurity capabilities and building response systems to help recover from attacks. * * *

The paper proposes establishing minimum cyber hygiene practices for healthcare organizations, addressing insecure legacy systems, requiring a “software bill of materials” for medical devices and all healthcare industry software, streamlining information sharing and looking at how Medicare payment policies should be changed to incorporate cybersecurity expenses.

The public comment deadline is December 1, 2022.

From the cyber vulnerabilities front

While the Cybersecurity and Infrastructure Security Agency did not add any new known exploited vulnerabilities this week, the Federal Times offers an article on how to use the catalog which lead the FEHBlog to CISA’s guidance on that topic. CISA allows identified three steps that the agency is taking to transformthe vulnerability management landscape.

  • First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)
  • Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX)
  • Third, we must help organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog

Cybersecurity Dive adds

Multiple threat actors are launching attacks against unpatched users of Zimbra Collaboration Suite, a business productivity software and email platform, the Cybersecurity and Infrastructure Security Agency said in a warning Thursday [November 10].  

CISA, in a joint advisory with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and contributions from the FBI, said threat actors are exploiting multiple CVEs to launch attacks against unpatched government and private sector users. 

The advisory updates previous guidance issued in August regarding vulnerabilities in ZCS. Officials urge administrators that failed to patch their systems or are otherwise exposed to the internet, to assume they have been compromised and use third-party detection signatures in the advisory to hunt for threat activity. 

and

Federal authorities are encouraging users and corporate administrators to apply security updates after major vulnerabilities were found in Citrix ADC (Application Delivery Controller) and Citrix Gateway.

The Cybersecurity and Infrastructure Security Agency warned Wednesday that a remote attacker could exploit the vulnerability to take control over an affected system.

Citrix is not aware of any known exploitation in the wild, but is urging administrators to immediately patch their systems, according to a company spokesperson.

Security Week explains how “Microsoft’s latest Patch Tuesday [November 7] updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.”

From the ransomware front

Bleeping Computers’ The Week in Ransomware is back.

From the same publication we learn

The U.S. Department of Health and Human Services (HHS) warned today [November 10] that Venus ransomware attacks are also targeting the country’s healthcare organizations.

In an analyst note issued by the Health Sector Cybersecurity Coordination Center (HC3), HHS’ security team also mentions that it knows about at least one incident where Venus ransomware was deployed on the networks of a U.S. healthcare organization. * * *

The threat actors behind the Venus ransomware attacks are known for hacking into the victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Besides terminating database services and Office apps, the ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention on compromised endpoints.

Since August, when it began operating, Venus ransomware has been relatively active, with new submissions being uploaded to ID Ransomware every day.

From the cybersecurity defenses front —

Cybersecurity Dive advises us

NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward: 

Check passwords against breached password lists

Block passwords contained in password dictionaries

Prevent the use of repetitive or incremental passwords

Disallow context-specific words as passwords

Increase the length of passwords

* * *

[F]ewer than half, 44%,  of organizations provide their employees with guidance and best practices governing passwords and access management, according to Keeper’s 2022 U.S. Cybersecurity Census Report.

Nearly one-third allow employees to set and manage their own passwords – and admit that employees often share access to passwords.

But organizations are reaching a point of no return with passwords. The NIST framework doesn’t just recommend guidelines for password management, but for a variety of authentication methods, including biometrics and multifactor. 

“Time spent on enhancing password-based authentication is a wasted cost; instead, organizations should get out of password schemes as soon as possible and investigate alternatives,” said Maynor. 

Still, it’s helpful to be familiar with these practices for personal use. The article also discusses password manager security.

The Wall Street Journal provides an update in rising cybersecurity insurance premiums:

Data from the latest WSJ Pro Research cybersecurity survey reveals cyber insurance insights including coverage levels, challenges related to buying policies, and claim rates.

There is a wide disparity in purchases of cyber insurance depending on company size: Nine out of ten of the largest companies have cybersecurity insurance coverage, while six in ten of the smallest have coverage.

Premiums are rising: 86% of companies renewing their cyber insurance policies noted an increase in premiums for the same level of coverage.

Reasons for small businesses lacking cyber insurance include not thinking it represents good value for money and believing they are unlikely to be hit with a successful cyberattack.

Larger companies are more likely to claim against their cyber insurance: 11% of large companies made claims in the last 12 months, more than three times the number of smaller businesses that made claims.

Cybersecurity Dive discusses a recent cybersecurity insurannce coverage dispute. “The legal dispute between the snack giant [Mondelez] and insurer Zurich American, which lasted four years, raises further questions about how insurers cover acts of cyber war.”