From the CrowdStrike outage front,
- TechTarget offers lessons learned from the CrowdStrike outage.
- Cybersecurity Dive includes an opinion piece from Deepak Kumar, the founder and CEO of Adaptiva.
- “Patching remains a top priority for every organization, but slow, manual, and reactive patching presents far more risk than benefit. Automated patching without the capability to pause, cancel, or roll back can be reckless and lead to disruptions or worse.
- “Automated patching, with the necessary controls, is undoubtedly the best path forward, offering the speed needed to thwart bad actors and the control required to prevent an errant update from causing widespread issues.”
From the cybersecurity policy front,
- Cyberscoop informs us,
- “Federal contractors would be required to implement vulnerability disclosure policies that align with National Institute of Standards and Technology guidelines under a bipartisan Senate bill introduced last week.
- “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., is a companion to legislation from Rep. Nancy Mace, R-S.C., which was advanced by the House Oversight Committee in May.
- “The bill from Warner and Lankford on vulnerability disclosure policies (VDPs) aims to create a structure for contractors to receive reports of vulnerabilities in their products and then act against them before an attack occurs.
- “VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Warner said in a statement. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”
- Cybersecurity Dive reports from the Black Hat cybersecurity conference held at Las Vegas in the first week of August,
- Despite a stream of devastating cyberattacks or mistakes that halt or disrupt large swaths of the economy, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, says the war against malicious activity is not lost.
- It is possible to elevate organizations’ ability to repel or mitigate attacks and place a greater emphasis on vendors’ responsibilities, Easterly said Wednesday during a media briefing at Black Hat. “We got ourselves into this, we have to get ourselves out,” she said.
- Easterly’s optimism isn’t the result of blind trust. “We have made enormous progress, even just over the past several years,” she said.” * * *
- “We have to recognize that the cybersecurity industry exists because technology vendors for decades have been allowed to create defective, flawed, insecure software that prioritizes speed to market features over security,” Easterly said.
- “There is more we can do but that’s where the war will be won,” Easterly said. “If we put aside the threat actors and we put aside the victims and we talk about the vendors.”
- and
- It’s time to stop thinking of threat groups as supervillains, experts say
- “These villains do not have superpowers. We should not treat them like they do,” * * *
- “The vast majority of organizations don’t have the time or resources to keep up with the chaos of tracking cybercriminal groups, Andy Piazza, senior director of threat intel at Palo Alto Networks Unit 42, said in an interview at Black Hat.
- “You as a defender shouldn’t care about that,” Piazza said. Defenders can better serve their organizations by developing capabilities to detect and respond to malicious tactics, techniques and procedures, Piazza said.
- “It’s hard to ignore the drama when groups are given names like Scattered Spider, Midnight Blizzard and Fancy Bear, but mythologizing the criminals responsible for cyberattacks can diminish defenders’ ability to detect and thwart malicious activity.”
- FedScoop lets us know,
- “The National Institute of Standards and Technology has officially released three new encryption standards that are designed to fortify cryptographic protections against future cyberattacks by quantum computers.
- “The finalized standards come roughly eight years after NIST began efforts to prepare for a not-so-far-off future where quantum computing capabilities can crack current methods of encryption, jeopardizing crucial and sensitive information held by organizations and governments worldwide. Those quantum technologies could appear within a decade, according to a RAND Corp. article cited by NIST in the Tuesday announcement.
- “Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” Laurie E. Locascio, director of the Department of Commerce’s NIST and undersecretary of commerce for standards and technology, said in a statement. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
- “The new standards provide computer code and instructions for implementing algorithms for general encryption and digital signatures — algorithms that serve as authentication for an array of electronic messages, from emails to credit card transactions.”
- Federal News Network adds,
- “CISA Director Jen Easterly said in a keynote at The White House Office of Management and Budget will soon direct agencies to map out plans for adopting post-quantum encryption to protect their most sensitive systems and data.
- “Federal Chief Information Office Clare Martorana said the new guidance will help agencies begin to adopt new cryptographic standards from the National Institute of Standards and Technology.
- “We will be releasing guidance directing agencies to develop a prioritized migration plan to ensure that the most sensitive systems come first,” Martorana said during an event hosted by the White House today. “We can’t do it alone. It’s critical that we continue to foster robust collaboration and knowledge sharing between public and private sectors, which is why conversations like the one we’re having today are so incredibly critical.”
From the cybersecurity vulnerabilities and breaches front,
- The Cybersecurity and Infrastructure Security Administration (CISA) added seven known exploited vulnerabilities (KEV) to its catalog this week. NIST initially identifies the KEVs, which explains the Senate bill discussed above, and then CISA publicizes those KEVs in its catalog
- August 13, 2024,
- CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
- CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
- CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
- CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
- CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability
- Security Week discusses these Microsoft KEVs.
- August 15, 2024,
- CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
- Cybersecurity Dive adds,
- SolarWinds is urging customers to patch a critical vulnerability in its Web Help Desk application, in a Tuesday advisory, which was last updated Friday.
- The company disclosed a java deserialization remote code execution vulnerability that, if successfully exploited, could allow an attacker to run commands on a host machine. The vulnerability, listed as CVE-2024-28986, has a CVSS score of 9.8.
- The Cybersecurity and Infrastructure Security Agency on Thursday added the CVE to its Known Exploited Vulnerabilities catalog.
- August 13, 2024,
- Cybersecurity Dive notes,
- “A vulnerability in the common log file system of Microsoft Windows can lead to the blue screen of death, impacting all versions of Windows 10 and Windows 11, researchers from Fortra said Monday.
- “The vulnerability, listed as CVE-2024- 6768, is caused by improper validation of specified quantities of input data, according to a report by Fortra. The vulnerability can result in an unrecoverable inconsistency and trigger a function called KeBugCheckEx, leading to the blue screen.
- “A malicious hacker can exploit the flaw to trigger repeated crashes, disrupting system operations and the potential loss of data, according to Fortra.”
- TechTarget explains why “recent cyberattacks against OneBlood and McLaren Health Care shed light on the operational challenges that targeted organizations face.”
From the ransomware front,
- A Dark Reading commentator explains that to avoid losing the ransomware battle, companies that are “institutionalizing and sustaining fundamental cybersecurity practices” also must “commit to ongoing vigilance, active management, and a comprehensive understanding of evolving threats.”
- “The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first — such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.”
- Cybersecurity Dive points out,
- “Cyber risk company Resilience said in a report unveiled Tuesday that ransomware has remained a top threat since January 2023, with 64% of related claims in its portfolio resulting in a loss during that period.
- “Increased merger-and-acquisition activity and reliance on ubiquitous software vendors created new opportunities for threat actors to unleash widespread ransomware campaigns by exploiting a single point of failure, the report said.
- “Now more than ever, we need to rethink how the C-suite approaches cyber risk,” Resilience CEO Vishaal Hariprasad said in a press release. “Businesses are interconnected like never before, and their resilience now depends on that of their partners and others in the industry.”
- Per Bleeping Computers,
- “RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks.
- “Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system.
- “This technique is very popular among various threat actors, ranging from financially motivated ransomware gangs to state-backed hacking groups.”
- and
- “Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information.
- “The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.”
From the cybersecurity defenses front,
- The American Hospital Association’s National Advisor for Cybersecurity and Risk, John Riggi, explains how healthcare entities should prepare for third party cyber risk.
- The Wall Street Journal shares remarks from a June 2024 WSJ conference on what can be learned from the Change Healthcare cyber-attack. “Two security experts explain why the hack affected so many institutions and people—and what could be done to protect the healthcare system.”