Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Federal News Network tells us
- “A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.
- “A total of 13 agencies [including the U.S. Office of Personnel Management] received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.
- “Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.
- “Agencies generally saw lower scores in the previous FITARA scorecard released in February.”

KFF Health News gives low marks to the federal agencies responsible for protecting healthcare organizations against cyberattacks.

Per a CISA press release,
- “The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
- “Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.” * * *
- “The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities.
- “The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.”

Per a NIST press release,
- “NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.
- “The program will build on existing NIST expertise, research and publications such as:
  - “The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A);
  - “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
  - “Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226);
  - “Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
  - “Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
  - “A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

Dark Reading reports,
- “The Justice Department today [September 19] announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.
- “According to unsealed documents, the botnet, known as Raptor Train, is operated by People’s Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.
- A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”

From the cyber vulnerabilities and breaches front,

Cybersecurity Dive lets us know,
- “Ivanti warned Thursday of a critical path traversal vulnerability in Cloud Service Appliance, which is currently facing exploitation attempts by hackers. The vulnerability, listed as CVE-2024-8963, has a CVSS score of 9.4 and allows an unauthenticated hacker to gain access to restricted functionality.
- “Ivanti previously issued a patch for CSA on Sept. 10., but the company said the path traversal vulnerability was discovered while investigating exploitation linked to an OS command injection vulnerability, listed as CVE-2024-8190.
- “The company warned that when the two vulnerabilities are used in conjunction with each other, a hacker can bypass admin authentication and execute arbitrary commands.”

Dark Reading tells us “Security Firm’s North Korean Hacker Hire was not an Isolated Incident; What happened to KnowBe4 also has happened to many other organizations, and it’s still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.” Check out the article.

CISA added twelve known exploited vulnerabilities to its catalog this week.
- “September 16, 2024
  - CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
  - CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability”
- “September 17, 2024
  - CVE-2014-0497 Adobe Flash Player Integer Underflow Vulnerability
  - CVE-2013-0643 Adobe Flash Player Incorrect Default Permissions Vulnerability
  - CVE-2013-0648 Adobe Flash Player Code Execution Vulnerability
  - CVE-2014-0502 Adobe Flash Player Double Free Vulnerability”
- “September 18, 2024
  - CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
  - CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution” Vulnerability
  - CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
  - CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
  - CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability”
- “September 19, 2024
  - CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability”

From the ransomware front,

Dark Reading informs us,
- “Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
- “Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
- “In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group’s latest weapon: Inc ransomware.”

Per Cybersecurity Dive,
- “A special legislative committee in Suffolk County, New York, found officials ignored repeated warnings and failed to prepare ahead of a September 2022 ransomware attack that disrupted essential government services for months, in a report released last week.
- “Officials blamed the ransomware attack on a failure of leadership, including the lack of an incident response plan and a failure to respond to FBI warnings of potential infiltration.
- “Suffolk County operated using a variety of IT teams and had no CISO, resulting in a lack of coordination on how to prepare for potential cyber threats. The attack has so far cost the county more than $25 million in remediation costs and other expenses.”

Cyberscoop reports on a debate of experts at the 2024 mWISE conference about what more could be done to stop ransomware attacks in the wake of police action and tens of millions in ransom payments over the past year.

From the cyber defenses front,

Cyberscoop points out,
- “UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems.
- “When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.”

Cybersecurity Dive adds,
- “CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
- “Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.” * * *
- “Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
- “The questions on Mandia’s CISO confidence test include:
  - How would you break into us? What is our weak spot?
  - What is our worst-case scenario?
  - What would you do if the worst-case scenario occurred?
  - How resilient are we? How long would it take to recover our systems and applications?
  - What do you need?
- “Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
- “I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.”

Health Tech offers five steps to follow after a breach.

Per Bleeping Computer,
- “Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
- “Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation.
- “Among the benefits of Windows Hotpatching, Redmond highlights faster installs and reduced resource usage, lower workload impact because of fewer reboots over time, and improved security protection because it reduces the time exposed to security risks.
- “Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month),” said Windows Server Director of Product Hari Pulapaka on Friday [September 20].”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog