Cybersecurity Saturday - Ermer and Suter PLLC

From the CrowdStrike front,

Dark Reading explains why the CrowdStrike outage should be a wakeup call for cybersecurity experts. “The incident serves as a stark reminder of the fragility of our digital infrastructure. By adopting a diversified, resilient approach to cybersecurity, we can mitigate the risks and build a more secure digital future.”

Cybersecurity Dive reports,
- “After CrowdStrike outage, what will become of automatic IT updates? Blind enterprise trust in software updates is the latest symptom of a race toward IT automation.” FEHBlog observation: Good question.
and
- Federal officials said the global IT outage stemming from a faulty CrowdStrike software update is raising prior concerns about the security of the software supply chain.
- The U.S. Government Accountability Office released a report Tuesday [July 30] noting the July 19 outage, which led to the disruption of 8.5 million Microsoft Windows systems. The CrowdStrike incident resurrected concerns raised during the state-linked supply chain attack against SolarWinds in 2020, according to the GAO.
- The CrowdStrike incident highlights specific warnings about memory safety issues in software development, the White House said on Thursday. The remarks build on a February report that raised questions about the link between memory safety issues and software vulnerabilities.
and
- “The global IT outage stemming from a faulty CrowdStrike software update will lead to cyber insurance losses primarily driven by business interruption claims, Moody’s Ratings said in a report released Monday.
- “Businesses are expected to make claims under “systems failure” provisions, coverage that is becoming standard for cyber insurance policies, because the incident was not considered a malicious attack. Moody’s said insured organizations will link claims to direct business losses as well as contingent losses of third-party vendors.
- “The outage is likely to spur larger reviews of underwriting, with a focus on systems failure, according to Moody’s. The outage has already raised concerns about the risk of single points of failure, as lone organizations with a vast footprint can bring down operations across so many critical industries.”

From the cybersecurity policy front,

Cyberscoop lets us know,
- “Cybersecurity legislation aimed at unscrambling regulations, strengthening health system protections and bolstering the federal workforce sailed through a key Senate committee Wednesday [July 31], moving the trio of bipartisan bills to future consideration before the full chamber.
- “The Senate Homeland Security and Governmental Affairs Committee voted first on the Streamlining Federal Cybersecurity Regulations Act, a bill co-sponsored by committee Chair Gary Peters, D-Mich., and Sen. James Lankford, R-Okla., that seeks to streamline the country’s patchwork of federal cyber rules.
- “The bill would harmonize federal cyber requirements for the private sector, which has long been critical about conflicting rules imposed by agencies. A committee made up of the national cyber director, the chief of the Office of Management and Budget’s Office of Information and Regulatory Affairs, the heads of each federal regulatory agency and other government leaders as determined by the chair would be charged with identifying cyber regulations deemed “overly burdensome, inconsistent, or contradictory” and recommending updates accordingly.
- “Also moving forward Wednesday was the Healthcare Cybersecurity Act from Sens. Jacky Rosen, D-Nev., Todd Young, R-Ind., and Angus King, I-Maine. The legislation, which came in the aftermath of the February ransomware attack on the payment processor Change Healthcare, calls on the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services on cyber defenses, providing resources to non-federal entities connected to threat indicators.” * * *
- “The final cyber bill headed to the full Senate is the Federal Cyber Workforce Training Act, which tasks the national cyber director with coming up with a plan to create a centralized resource and training center for federal cybersecurity workforce development.”

Fedscoop tells us,
- “Lisa Einstein, the Cybersecurity and Infrastructure Security Agency’s senior adviser for artificial intelligence, has been tapped to serve as the agency’s first chief AI officer.
- “A Stanford and Princeton graduate who joined CISA in 2022 as executive director of its Cybersecurity Advisory Committee, Einstein will assume the CAIO role at a time when the agency is attempting to leverage the technology to advance cyber defenses and more effectively support critical infrastructure owners and operators.
- “I care deeply about CISA’s mission — if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable. AI tools could accelerate our progress,” Einstein said in a statement. “But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools.”
and
- “The White House issued final FedRAMP modernization guidance Friday [July 26, 2024] as a response to cloud market changes and agency needs for more diverse mission delivery.
- “The final guidance, previewed by FedScoop before its official release, aims to reform the cloud security authorization program by increasing focus on several strategic goals, such as enabling FedRAMP to conduct “rigorous reviews” and requiring cloud service providers (CSPs) to quickly mitigate any security architecture weaknesses to protect federal agencies from the most “salient threats.” The Office of Management and Budget began accepting public comments on a draft version of the guidance last fall.
- “The memo places particular emphasis on a program to establish an automated process for intaking, using and reusing security assessments and reviews to reduce the burden on participants and speed up the implementation process for cloud solutions.”

The National Institute of Standards and Technology published on July 30, 2024,
- “NIST Special Publication (SP) 800-231, Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities, is now available. It presents an overview of the Bugs Framework (BF) systematic approach and methodologies for the classification of bugs and faults per orthogonal by operation software and hardware execution phases, formal specification of weaknesses and vulnerabilities, definition of secure coding principles, generation of comprehensively labeled weakness and vulnerability datasets and vulnerability classifications, and development of BF-based algorithms and systems.” * * *
- Visit the Bugs Framework site at https://usnistgov.github.io/BF/.
and announced on August 1, 2024,
- “The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is now returning to Washington, D.C. at the HHS Headquarters.
- “The conference will explore the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event will highlight the present state of healthcare cybersecurity, and practical strategies, tips, and techniques for implementing the HIPAA Security Rule. * * *
- “Virtual registration for the event is now open and costs $50 per person.
- “Please visit the event web page for more details and to register for virtual attendance to the conference.

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive points out,
- “Data breaches are painfully expensive and the cost for impacted businesses has grown every year since 2020. The global average cost of a data breach is nearly $4.9 million this year, up nearly 10% from almost $4.5 million in 2023, IBM said Tuesday in its annual Cost of a Data Breach report.
- “U.S. organizations led the world with the highest average data breach cost of almost $9.4 million, a dubious distinction it has earned for the 14th straight year. Businesses in the Middle East, the Benelux countries, Germany and Italy rounded out the top five.
- “Healthcare was far and away the costliest industry for data breaches — as it’s been since 2011 — with an average breach cost of almost $9.8 million, the report found. That’s a decrease from last year’s $10.9 million for the sector.”

Security Weeks notes,
- “HealthEquity is notifying 4.3 million individuals that their personal and health information was compromised in a data breach at a third-party vendor.
- “The incident, the company said in a regulatory filing with the Maine Attorney General’s Office, was identified on March 25 and required an “extensive technical investigation”.
- “Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” HealthEquity said.
- “According to the company, the data was exposed after attackers compromised a vendor’s user accounts that had access to the online repository, gaining access to the information stored there.”

Per Cybersecurity Dive,
- “Microsoft said a DDoS attack led to an eight-hour outage Tuesday [July 30] involving its Azure portal, as well as some Microsoft 365 and Microsoft Purview services.
- “Microsoft said an unexpected spike in usage led to intermittent errors, spikes and timeouts in Azure Front Door and Azure Content Delivery Network. An initial investigation showed an error in the company’s security response may have compounded the impact of the outage.
- “Microsoft said it will have a preliminary review of the incident in 72 hours and a final review within two weeks, to see what went wrong and how to better respond.”

CISA added the following known exploited vulnerabilities to its catalog this week.
- “July 29, 2024
  - CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability
  - CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
  - CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
- “July 30, 2024
  - CVE-2024-37085 VMware ESXi Authentication Bypass Vulnerability”

From the ransomware front,

Cybersecurity Dive relates,
- “Nearly one-third of companies that suffered a ransomware attack paid a ransom four or more times in the past 12 months to regain access to their systems, according to the 2024 Ransomware Risk Report released Tuesday by Semperis, a cybersecurity software company.
- “This decision to pay multiple times involved 32% of attacked companies in France, Germany, the U.K. and U.S. across multiple industries, according to the survey of 900 IT and security executives.
- “Nearly half of the German companies queried paid four or more ransom payments, compared to one-fifth of companies in the U.S.
- “More than a third of companies that paid the extortion demand either did not receive the decryption keys from attackers or were given corrupted keys, according to the report.”

Per TechTarget,
- “Blood donation nonprofit OneBlood is actively responding to a ransomware attack that is affecting its ability to operate and provide blood to hospitals at its typical volume. According to a notice posted on OneBlood’s website on July 31, 2024, the company is operating at a “significantly reduced capacity, which impacts inventory availability.”
- “OneBlood provides blood to more than 250 hospitals in Alabama, Florida, North Carolina, South Carolina and Georgia.
- “OneBlood is continuing to collect, test and distribute blood to hospitals at a reduced capacity. Due to these limitations, OneBlood urged eligible donors to donate blood immediately, with an urgent request for O positive, O negative and platelet donations.”

Dark Reading notes,
- “A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.
- “Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.
- “But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.”
and considers whether making ransom payments illegal would result in fewer attacks?
- “Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.

Security Week alerted us on July 29, 2024,
- “Less than a week after VMware shipped patches for a critical vulnerability in ESXi hypervisors, Microsoft’s threat intel team says the flaw is being exploited by ransomware groups to gain full administrative access on domain-joined systems.
- “The flaw, tagged as CVE-2024-37085 with a CVSS severity score of 6.8, has already been abused by multiple known ransomware groups to deploy data-extortion malware on enterprise networks, according to a new warning from Redmond’s threat hunting teams.
- “Strangely, Broadcom-owned VMware did not mention in-the-wild exploitation when it released patches and workarounds last week alongside warnings that it could be used by hackers to gain unauthorized access and control over ESXi hosts.”

From the cybersecurity defenses front,

An ISACA expert discusses “Navigating the Modern CISO Landscape: Practical Strategies for Cybersecurity Success.”

Dark Reading explains how to implement identity continuity with the NIST Cybersecurity Framework. “Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.”

McKinsey & Co. delves into “Generative AI in healthcare: Adoption trends and what’s next.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog