Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front

Cybersecurity Dive reports
- “The White House outlined its cybersecurity budget priorities for fiscal year 2025 in a memorandum sent to executive departments and agencies Tuesday.
- “The Biden administration is looking to connect cybersecurity investments to the five pillars of the national cybersecurity strategy it released in early March, the document shows.
- “The letter, signed by Acting National Cyber Director Kemba Walden and Office of Management and Budget Director Shalanda Young, advises federal agencies to prioritize spending on critical infrastructure defense, disrupting and dismantling threat actors, software that is secure by design, resiliency and international partnerships. * * *
- “Agencies that bear responsibility for disrupting ransomware are advised to submit budgets that prioritize staff resources to investigate ransomware, disrupt ransomware infrastructure and participate in interagency task forces focused on cybercrime.”

The Government Accountability Office issued a report on launching and implementing the national cybersecurity strategy.
- “Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.
- “This Snapshot covers the status of the National Cybersecurity Strategy. The strategy’s goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.
- “It will be difficult to implement the strategy when the specific details have yet to be issued. The continued vacancy in the role of National Cyber Director is also a challenge.”

From the cybersecurity vulnerabilities and breaches front —

Health IT Security breaks down the breach reports submitted to the HHS portal in the first six months of 2023.
- “HealthITSecurity has compiled a list of the top ten biggest healthcare data breaches reported to the HHS Office for Civil Rights (OCR) data breach portal this year as of late June 2023, based on the number of individuals impacted for each event. It is important to note that this list refers to breaches reported to OCR in 2023, but a few occurred in 2022 or earlier.
- “Some of the biggest breaches so far this year stemmed from known cybersecurity vulnerabilities in Fortra’s GoAnywhere managed file transfer (MFT) solution and attacks on other third-party vendors, while others involved direct cyberattacks against healthcare organizations.”

Cybersecurity Dive tells us
- “Fallout from Clop’s mass exploit of a zero-day vulnerability in Progress Software’s MOVEit file transfer service continues to ensnare additional victims. The prolific ransomware actor is listing new compromised systems on its leak site daily and some organizations are still disclosing breaches.
- “At least 108 organizations, including seven U.S. universities, have been listed by Clop or disclosed as having been impacted thus far, according to Brett Callow, threat analyst at Emsisoft.
- “The University of California, Los Angeles, is the latest organization to disclose a breach of its MOVEit platform. The school’s IT security team discovered malicious activity on June 1, a spokesperson told Cybersecurity Dive. * * *
- “Organizations are disclosing breaches weeks after Progress first acknowledged the MOVEit vulnerability and cybersecurity experts warned about mass exploits. Two additional vulnerabilities in the file-transfer service have subsequently been discovered. * * *
- “Some organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file transfer service, including PBI Research Services and Zellis.”

The Cybersecurity and Infrastructure Security Agency (CISA) informs us
- “The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.
- “The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV).
- “CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”

On June 29, 2023, CISA added eight known exploited vulnerabilities to its Catalog.

The Cybersecurity and Infrastructure Security Agency advises us
- “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
- “If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.
- “Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
- “Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.
- “Organizations can take proactive steps to reduce the effects of an attack—See the following guidance for more information:
- Understanding and Responding to Distributed Denial-of-Service Attacks
- Additional DDoS Guidance for Federal Agencies

From the ransomware front, here is a link to Bleeping Computer’s the Week in Ransomware.

From the cybersecurity defenses front —

Venture Beat reports
- “Forrester’s recent report, The State of Cloud in Healthcare, 2023, provides an insightful look at how healthcare providers are fast-tracking their cloud adoption with the hope of getting cybersecurity under control. Eighty-eight percent of global healthcare decision-makers have adopted public cloud platforms, and 59% are adopting Kuber netesto ensure higher availability for their core enterprise systems. On average, healthcare providers spend $9.5 million annually across all public cloud platforms they’ve integrated into their tech stacks. It’s proving effective — to a point.
- “What’s needed is for healthcare providers to double down on zero trust, first going all-in on identity access management (IAM) and endpoint security. The most insightful part of the Forrester report is the evidence it provides that continuing developments from Amazon Web Services, Google Cloud Platform, Microsoft Azure and IBM Cloud are hitting the mark with healthcare providers. Their combined efforts to prove cloud platforms are more secure than legacy network servers are resonating.”

CISA released cloud services guidance and resources.

Tech Republic offers five top zero trust security implementation tips and explains how generative AI is a game changer for cloud security.

The HHS Office for Civil Rights’ June 2023 Cybersecurity Bulletin covers the topic of HIPAA and cybersecurity authorization.

Cybersecurity Dive points out that “Long before a data breach, well-prepared companies set up incident response teams with workers from multiple departments.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog