Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Bloomberg alerts us,
    • “The Biden administration is racing to put out an executive order meant to shore up US cybersecurity in its dwindling days in office, according to four people familiar with the matter.
    • “The executive order, which has cleared some internal hurdles and is close to being published, incorporates lessons from a series of major breaches during the Biden administration, including the most recent Treasury Department hack attributed to China, according to people familiar with the matter who didn’t want to be named to discuss information that hasn’t yet been made public.
    • “Among the measures, it directs the government to implement “strong identity authentication and encryption” across communications, according to an undated draft of the order seen by Bloomberg News. In the December Treasury hack, intruders accessed unclassified documents stored locally on laptops and desktop computers. Encrypting information sent by email and worked on in the cloud could help safeguard it from hackers who successfully access systems but then cannot open specific documents.” * * *
    • “Whether President-elect Donald Trump will leave the executive order in place when he takes office remains unclear, though he’s vowed to pare back federal regulation. Trump has signaled that he intends to repeal another Biden administration order intended to provide guardrails around artificial intelligence.” 
  • Federal News Network provides more details on the draft EO for those interested.
  • Dark Reading reports,
    • “Yesterday [January 7, 2025] the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.
    • “As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.
    • “Known as the “US Cyber Trust Mark,” the label has been a long time coming, with the Federal Communications Commission gathering input over the past 18 months. In a bipartisan and unanimous vote, the FCC authorized the program and said 11 vendors will act as label administrators while UL Solutions will serve as the lead administrator.
    • “The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency,” the White House brief read.”
    • “Though this new system has good intentions for both consumers and vendors, there are concerns and speculation as to how effective this cybersecurity label will be.” Read the article for those details.
  • Here’s a link to the Federal Register version of the recent proposed HIPAA Security Rule amendments which appears in the January 6, 2025, issue. The public comment deadline is March 7, 2025.
  • Fedscoop tells us,
    • “Guy Cavallo, the chief information officer of the Office of Personnel Management since July 2021, will retire from federal service on Jan. 13, he confirmed to FedScoop.
    • “Cavallo leaves federal service having held several top technology roles over the past decade, including as deputy CIO of the Small Business Administration and executive director of IT operations at the Transportation Security Administration. He also served as OPM’s principal deputy CIO and acting CIO before being named permanent CIO.
    • “As the longest-tenured CIO of OPM in recent memory, Cavallo led that charge on a two-year sprint replacing or migrating over 50 applications from legacy on-premises data centers to the cloud and the launch of the new Postal Health Benefits System last year for more than 1.7 million postal workers and retirees. He touted the system as fully operational 100% of the time with no unscheduled downtime throughout the Open Season.
    • “Cavallo also led OPM to winning several Technology Modernization Fund awards in recent years, the most recent of which came in late 2024 to support the use of artificial intelligence to update legacy mainframe programs for OPM’s retirement systems.
  • The National Institute of Standards and Technology announced on January 8,
    • NIST extends the public comment period on the initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3)Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) until January 17, 2025. 
    • NIST strongly encourages you to use the comment template and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
    • For more information, see the NIST Protecting CUI Project.
  • Per HHS press releases,
  • and
    • [Also on January 7, 2025], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a Virginia business associate that provides data hosting and cloud services to covered entities (health plans, health care clearinghouses, and most health care providers) and business associates, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). The settlement resolves an investigation concerning a ransomware attack on VPN Solutions’ information system.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/vpns-ra-cap/index.html
  • Per Cyberscoop,
    • “Microsoft is petitioning a Virginia [federal] court to seize software and shut down internet infrastructure that they allege is being used by a group of foreign cybercriminals to bypass safety guidelines for generative AI systems.
    • “In a filing with the Eastern District Court of Virginia, Microsoft brought a lawsuit against ten individuals for using stolen credentials and custom software to break into computers running Microsoft’s Azure OpenAI services to generate “harmful content.”
    • “In a complaint filed Dec. 19, 2024, the company accuses the group of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act and the Racketeer Influence and Corrupt Organizations Act, as well as trespass to chattels and tortious interference under Virginia state law.”

From the cybersecurity reminiscences department,

  • “HHS OCR Director Melanie Fontes Rainer reflects on 2024 as a historic year filled with tremendous activities and accomplishments for OCR on Health Insurance Portability and Accountability Act of 1996 (HIPAA) rulemakings, enforcement actions, and resources for the health care sector on HIPAA privacy and cybersecurity.”
  • In Cyberscoop, “National Cyber Director Harry Coker looks back (and ahead) on the Cyber Director office. It’s made real strides, but there’s a lot more that it could be doing, he said, and more that needs to be done.”
  • In a blog post, Valeria Colman, the Cybersecurity and Infrastructure Security Agency’s (CISA) chief strategy officer, looks back at “CISA Through the Years: Policy and Impact.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “AT&T and Verizon, two of the nine U.S. telecom companies attacked by Salt Typhoon, said they evicted the China-government sponsored threat group from their networks. 
    • “We detect no activity by nation-state actors in our networks at this time,” an AT&T spokesperson said in a prepared statement. A Verizon spokesperson made a similar statement, asserting the carrier has “contained the cyber incident brought on by this nation-state threat actor. An independent and highly respected cybersecurity firm has confirmed the Verizon containment.”
    • “AT&T and Verizon did not say when they ejected the nation-state group from their networks, but declared their networks secure last week.”
  • Dark Reading adds,
    • “The Chinese threat actor group known as “Silk Typhoon” has been linked to the December 2024 hack on an agency that’s part of the US Department of the Treasury.
    • “In the breach, the threat actors were able to use a stolen Remote Support SaaS API key through third-party cybersecurity vendor BeyondTrust to steal data from workstations in the Office of Foreign Assets Control (OFAC).
    • “Silk Typhoon, also known as Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations.
    • “Using tools such as the China Chopper Web shell, the group’s cyber-espionage campaigns focus mainly on data theft.” * * *
    • “The Cybersecurity and Infrastructure Security Agency (CISA) has since confirmed that these exploits are limited to just the agency, and there is no indication that any other federal agencies have been impacted by the incident.” 
  • Bleeping Computer lets us know,
    • BayMark Health Services, North America’s largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach.
    • The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces.
    • In data breach notification letters mailed to affected individuals, BayMark revealed that it learned of the breach on October 11, 2024, following an IT systems disruption. A follow-up investigation revealed that the attackers accessed BayMark’s systems between September 24 and October 14.
  • Per Dark Reading,
    • Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a crypto miner on their victims’ devices.
    • This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.
    • The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported “CRM application.”
  • CISA reminds us,
    • “In an era of increasingly sophisticated cyber threats, securing critical infrastructure has become a cornerstone of national security. CISA’s mission is to drive collaborative, proactive efforts to reduce risk and strengthen resilience for our nation’s critical infrastructure, federal civilian branch assets, and the private sector more broadly. While these efforts are many and varied, I’d like to highlight three particularly transformative initiatives—the Known Exploited Vulnerabilities (KEV) Catalog, Cybersecurity Performance Goals (CPGs), and the Pre-Ransomware Notification Initiative (PRNI)—to illustrate how we can collectively work to reshape the cybersecurity landscape.”
  • SC Media offers details on the January 7, 2025, KVEs while Cybersecurity Dive discusses the January 8, 2025, KVE.

From the ransomware front,

  • Axios gives us a primer on ransomware.
  • Here’s a link to a helpful September 2024 CISA PowerPoint presentation about its available tools such as the Pre-Ransomware Notification Initiative.
  • Security Week discusses “Temple University’s Critical Infrastructure Ransomware Attacks (CIRA)” database.
    • “The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013 and includes nearly 300 entries for incidents that came to light in 2024. 
    • “It contains information such as name of the victim, date of the incident, country or US state, targeted critical infrastructure sector, name of the attacking threat group, duration of the incident, MITRE ATT&CK mapping, and — if known — the amount of money that was demanded by the attacker and the ransom paid by the victim.” * * * 
    • “The database is available for free upon request. To date it has been requested more than 1,500 times, mainly by researchers and other members of the cybersecurity industry (61%), as well as students, government entities, educators, and reporters.” 

From the cybersecurity defenses front,

  • Cybersecurity Dive identifies four cybersecurity trends to watch this year.
    • Critical industries are up against never before seen challenges to remain secure and operational, while regulatory pressures have completely upended the role of the CISO in corporate America.
  • Dark Reading considers current trends in artificial intelligence and cybersecurity.
  • CISA Director Jen Easterly discusses “Corporate Cyber Governance: Owning Cyber Risk at the Board Level.”
  • CISA also released its “Cybersecurity Performance Goals Adoption Report.”
  • TechTarget shares “Top 15 email security best practices for 2025.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *