Cybersecurity Saturday

From the cybersecurity policy front —

Cybersecurity Dive reports

  • “The White House is crafting a roadmap to guide the implementation of the national cybersecurity strategy that it is set to release early this summer, Acting National Cyber Director Kemba Walden said Tuesday during a discussion with journalists at the RSA Conference.
  • “The strategy, framed around principles, was developed to have a 10-year shelf life. The dynamic and evolving nature of cybersecurity requires flexibility as new threats or technologies emerge, Walden said.
  • “The devil’s in the implementation planning process,” Walden said. “It’s really going to be who’s accountable for what, who’s responsible for what in the policymaking process, in the sort of sausage factory of the government.”

Cyberscoop informs us that “US cybersecurity officials are stepping up their push for tech companies to adopt secure by-design practices. Efforts at CISA and the Department of Energy are both meant to encourage the practice of building in better security protections.

  • “Small and medium businesses, local school districts, water utilities, local hospitals, are not going to be successful in managing cybersecurity risk alone if they ever get in the crosshairs of a ransomware gang or an APT actor,” said Eric Goldstein on Wednesday during the annual RSA Conference here that brings together government officials and industry executive. “Those who can bear the burden are held accountable for providing services that are safe and secure by design by default.” 
  • Jack Cable, a senior technical adviser at CISA, told CyberScoop that CISA held two listening sessions recently with industry partners as well as one with the open-source community. He said the agency plans to build on secure by design principles recently outlined in a white paper the agency published. “This is the first chapter of the story here and we want to work closely with industry and governmental partners with this.”

The Cybersecurity and Infrastructure Security Agency (CISA) tells us,

  • “In line with the theme for this year’s RSA Conference, Stronger Together, Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Army Maj. Gen. William J. Hartman, U.S. Cyber Command’s Cyber National Mission Force commander, delivered a presentation on the importance of partnership in defending America’s critical infrastructure while holding malicious cyber actors accountable.
  • “Goldstein and Hartman shared newly-declassified details of interagency responses to cyber attacks from nation-state actors and cybercriminals, including how CNMF shares information from foreign operations to enable CISA’s domestic defensive mission. They also discussed how CISA shares information from domestic cyber incidents to enable CNMF’s operations to impose costs on foreign malicious cyber actors. Goldstein and Hartman discussed case studies, including the “SolarWinds” campaign, the mitigation of Chinese hacking of Microsoft Exchange, the disruption of Iranian targeting of an election reporting website, and ongoing data-sharing from cyber criminal targeting of federal agencies and educational institutions to enable CNMF operations.
  • “As our nation’s cyber defense agency, CISA recognizes that we must leverage all tools and capabilities to increase costs against our adversaries. Our work with CNMF enables us to not only more effectively defend our nation’s critical infrastructure from cyberattacks but also clearly demonstrate to our adversaries that there is a price to pay if you decide to attack American infrastructure,” said CISA EAD Goldstein. “Our presentation demonstrated for the first time how this partnership yields real-world operational benefits and how we rely upon collaboration with, and incident reporting from, the private sector to catalyze this work.”

NIST’s Computer Security Resource Center announced

  • “For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.
  • “Thank you to all who provided feedback during the open comment period; in total, over 250  unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. NIST agrees… and anticipates follow-on work in this area—but NIST can’t do it alone and plans to work collaboratively with other agencies, entities, and colleagues to produce useful resources. Stay tuned for more information about this in the coming months.
  • “NIST and OCR are still in the process of adjudicating the received comments carefully. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 r2 (with the goal being to publish a final version of SP 800-66 r2 later this year).Thank you for the opportunity to share this update. Feel free to reach out with any questions or comments to sp800-66-comments@nist.gov (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).”

From the cyber vulnerabilities front -=

Bloomberg points out

  • “As hacking has gotten more destructive and pervasive, a powerful type of tool from companies including CrowdStrike Holdings Inc. and Microsoft Corp. has become a boon for the cybersecurity industry.
  • “Called endpoint detection and response software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices – “endpoints” on a computer network — and block them before intruders can steal data or lock the machines. 
  • “But experts say that hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems. 
  • “Investigators from multiple cybersecurity firms said the number of attacks where EDR is disabled or bypassed is small but growing, and that hackers are getting more resourceful in finding ways to circumvent the stronger protections it provides. * * *
  • “Security software cannot stand alone — you need eyes on-screen combined with technology,” [an investigator] said. EDR “is much better than antivirus software. So for sure you need it. It’s just not the silver bullet that some think it is.”

CISA relates

From the ransomware front —

HHS’s Healthcare Sector Cybersecurity Coordination Center issued a sector alert yesterday

  • “Ransomware-as-a-service (RaaS) groups Cl0p and Lockbit recently conducted several distinct attacks, exploiting three known vulnerabilities (CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669). The Cybersecurity and Infrastructure Security Agency (CISA) added the latter two vulnerabilities to its Known Exploited Vulnerabilities Catalog but has not yet added the first. This Sector Alert follows previous HC3 products on Cl0p (Cl0p Allegedly Targeting Healthcare Industry and Cl0p Ransomware) and Lockbit (Lockbit Ransomware, LockBit 3.0, and LockBit 2.0 IOCs), and provides an update on the recent attacks, and recommendations to detect and protect against future ransomware attacks.”

Here is the latest Bleeping Computers’ Week in Ransomware.

From the cybersecurity defenses front

Health IT Security reports, “KLAS, the American Hospital Association (AHA) and healthcare risk management solutions company Censinet released the much-anticipated first wave of results of its Healthcare Cybersecurity Benchmarking Study.”

Cybersecurity Dive calls attention to “Mandiant CEO Jack Mandia’s seven tips for cyber defense; Organizations’ institutional knowledge is an advantage that no adversary can match, Kevin Mandia told RSA Conference attendees.” The FEHBlog’s favorites are

  1. Lean on multifactor authentication

“The biggest bang for the buck against any impactful attack is multifactor authentication period,” Mandia said. “Figuring out a way to get it everywhere and know that you have it everywhere with some sort of validation is critical.”

  1. Build honeypots

Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can’t stop, Mandia said.

The FEHBlog uses multifactor authentication but had not heard of honeypots.

Tech Radar reports

  • “A new prototype technology has the potential to revolutionize cybersecurity, making it possible for businesses to prevent the majority of cyberattacks with ease.
  • “In a joint project developed by ARM and the University of Cambridge, world-renowned for its computer science pedigree, the prototype processor was used in experiments by various companies for six months as part of the Technology Access Programme, courtesy of Digital Catapult with support from the University of Cambridge and Arm.
  • “As a result of this programme, 27 of the participating companies gathered Digital Catapult’s London HQ to demonstrate their findings, and many were impressed it seems with the prototype’s ability to defend against memory-related cyberattacks. * * *
  • “Although it is still in the research phase, the prototype is claimed to have the potential to help protect industries and firms. already, the programme has racked up over a thousand days in development work wot other 13 million lines of code being experimented with.”