From the cybersecurity policy front,
- Cybersecurity Dive reports,
- “The U.S. government and its partners have slowed the swell of ransomware over the last three years, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Wednesday at an event.
- “But the cyclical and persistent threat ransomware poses requires new ways of thinking, Easterly said, speaking at the Institute for Security and Technology’s annual ransomware task force event. Defenders and stakeholders have to turn the lens to software and hardware vendors, according to Easterly.
- “There’s a lot about the villains. There’s a lot about victims. We do not talk enough about vendors,” she said.
- “The way we are going to actually drive down the number of attacks, and the number of successful attacks, is if we go upstream and ensure that technology that is deployed and delivered is in fact prioritized to be secure,” Easterly said. “Not features, not speed to market, not driving down costs, but secure.”
- Here is a link to a related blog post from the CISA Director on this important topic.
- Cyberscoop adds,
- ‘The Cybersecurity and Infrastructure Security Agency’s vulnerability warning program has issued more than 2,000 alerts to date to organizations that are running software with vulnerabilities being exploited by ransomware gangs, the agency’s director, Jen Easterly, said Wednesday.
- “Currently running in a pilot phase, the program is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated.
- “The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said at an event hosted by the Institute for Security and Technology.
- “Easterly said that since the pilot was launched in January of last year, it has expanded to include CISA’s database of known exploited vulnerabilities as well as common misconfigurations that can be linked to ransomware attacks.
- “In a Thursday blog about the warning pilot, CISA found that of the more than 1,700 notifications of vulnerable devices in 2023, 49% were mitigated through either patching, taking offline, or through other measures. The blog also said organizations reduce cyber risk when using CISA’s free cyber hygiene vulnerability scanning service, which monitors the web for vulnerable devices.
- “Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” CISA said.”
From the cyber vulnerabilities and breaches front,
- Cybersecurity Dive tells us,
- “UnitedHealth Group said [on April 22] it paid hackers a ransom in an attempt to protect patient information from disclosure after a cyberattack against its subsidiary Change Healthcare in February, the company confirmed to Healthcare Dive on Monday.
- “The healthcare behemoth also said patient data was compromised. UnitedHealth found files involved in the cyberattack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America,” according to a press release.
- “UnitedHealth also said 22 screenshots of allegedly stolen files, some containing patient health information, were posted on the dark web for about a week. The healthcare giant said it’s continuing to monitor the internet and the dark web for stolen data. * * *
- “The company also said it would take on breach reporting and notification requirements for customers whose data may have been exposed in the attack — a big concern for provider groups.”
- Tech Crunch reports,
- “U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).
- “In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
- “Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
- “Kaiser said it subsequently removed the tracking code from its websites and mobile apps. ***
- “Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.
- “The health giant also filed a legally required notice with the U.S. government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.”
- CISA added the following known exploited vulnerabilities to its catalog this past week.
- On April 23, 2024, CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation Vulnerability.
- On April 24, 2024,
- CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability
- CVE-2024-20359 Cisco ASA and FTD Privilege Escalation Vulnerability
- CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability
- Help Net Security informs us,
- “More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.
- “Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.
- “LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”
From the cybersecurity defenses front,
- Cybersecurity Dive lets us know,
- “Global median dwell times — measured as the time that hackers remain undetected inside a targeted environment — have fallen to their lowest levels in more than a decade, according to the annual M-Trends report from Google Cloud’s Mandiant, released Tuesday.
- “Organizations were able to detect intrusions within a median of 10 days in 2023, compared with 16 days in 2022. Notably the largest improvements came in the Asia-Pacific region, where median dwell times fell to nine days in 2023, compared with 33 in 2022.
- :Zero-day vulnerabilities are a hot target for espionage actors as well as financially motivated threat groups. Zero-day usage rose 50% in 2023, compared with the prior year.”
- and
- “The majority of companies, 4 in 5, have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by cyber risk quantification firm CYE.
- “On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.
- “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release.”
- Here is a link to Dark Reading’s latest CISO Corner.
- Here are links to ISACA expert posts about
- SC Media considers whether the Change Healthcare case finally will make providers do a business impact analysis.