Cybersecurity Saturday

From the cyber policy front —

Cybersecurity Dive reports

National Cyber Director Chris Inglis said the Biden administration’s long-anticipated national cybersecurity strategy could be ready as early as late November but may take a couple of additional months for final completion. 

Inglis, speaking at the mWISE conference in Washington D.C. Wednesday, said the strategy would focus heavily on international cybersecurity issues as well as workforce development concerns, a major issue for the information security industry.

Officials have made considerable outreach to the private sector in terms of developing the strategy, with two-thirds of about 300 engagements being made with private industry officials.

and

Water, hospitals and K-12 schools will be the primary area of focus for the Cybersecurity and Infrastructure Security Agency over the next year, CISA Director Jen Easterly said Thursday at Mandiant’s mWISE Conference. 

Healthcare and water are among 16 critical infrastructure sectors CISA and other federal agencies have identified as “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” While schools are not considered critical infrastructure, they represent a soft target that is frequently hit by debilitating ransomware attacks.

CISA, in a bid to prioritize risk management and cyber resilience guidance across critical services, is placing higher emphasis, at least initially, on what Easterly describes as “target-rich, resource-poor entities.”

Health IT Security adds

For healthcare, further federal security guidance could help the sector manage risk amid an increasingly complex and active cyber threat landscape. In 2021, the healthcare sector fell victim to ransomware more than any other critical infrastructure sector, the Federal Bureau of Investigation found.

“We unfortunately continue to see ransomware attacks against hospitals, which could be helped if hospitals had a baseline to establish, maintain, and measure their cyber security hygiene and level of preparedness,” Stacy O’Mara, senior director of government affairs at Mandiant, told HealthITSecurity.* * * *

A streamlined approach could help to ease the burden on individual entities.

“While all of these existing regulations are helpful to the healthcare sector – and should evolve to account for evolving threats to patients’ medical records, medical devices, and hospitals’ networks and systems – the federal government needs to continue its efforts to harmonize and streamline regulatory requirements,” O’Mara suggested.

Amen to that suggestion.

From the cyber breach front, Fierce Healthcare tells us

Advocate Aurora Health gave notice to patients that their health data may have been exposed through tracking technology. 

Up to 3 million patients may have been impacted in the breach against the health system, which is one of the Chicago area’s largest healthcare providers.

Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications.

“These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population,” the health system said in the online statement. “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors. * * *

Advocate Aurora had advised patients to use browser tracker-blocking features or incognito mode when logging into medical portals. It also suggests that those Facebook or Google accounts examine their privacy settings.

Wow.

Cybersecurity Dive discusses a former Uber chief security officer conviction stemming from the handling of a ransomware incident.

Sullivan was convicted of obstructing a Federal Trade Commission probe, which had been investigating a prior breach at Uber. He was also convicted of a rarely charged crime called misprision, which involves knowing concealment of a crime.

Following the verdict, U.S. Attorney Stephanie Hinds said federal authorities expect companies to promptly alert customers and appropriate authorities when such data is stolen by hackers. 

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said in the announcement of the verdict by the Department of Justice. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers, than in protecting users.”

Sullivan faces up to five years in prison for obstruction and up to three years in prison for misprision of a felony. 

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

The Apache Commons Text team is urging users to upgrade to version v1.10.0, which disables faulty interpolators at the center of a critical vulnerability that some security researchers have now dubbed “Text4Shell.” 

Those using an earlier version of commons text are considered safe from the vulnerability. Apache says users are only affected when using a stringsubstitutor API without properly sanitizing untrusted input, according to a blog post released Tuesday. 

The upgrade to v1.10.0 will serve as a quick workaround, however the best option is to properly validate and sanitize any untrusted input.

CSO Online reports

Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.

“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.

The Cybersecurity Intelligence and Security Agency “released a security update to address vulnerabilities affecting Cisco Identity Services Engine (ISE). A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing high and low severity vulnerabilities, see the Cisco Security Advisories page.”

From the ransomware front, the American Hospital Association reports

The FBI, Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services today [October 21] alerted U.S. organizations to a cybercrime group targeting the health care sector with ransomware and data extortion operations. The group has attacked multiple organizations since June, deploying ransomware to encrypt servers responsible for health care services, exfiltrating personal identifiable information and patient health information, and threatening to release the information if a ransom is not paid. The advisory includes indicators of compromise and recommended actions to protect against these attacks.

“This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The report also contains actionable indicators of compromise, malware signatures that should be loaded into network defense and intrusion detection systems. If there is any indication of this ransomware being present on hospital or health system networks, it is recommended that immediate steps be taken to contain, isolate and remediate. It is also strongly recommended that local FBI and CISA field offices be contacted immediately.”

Here’s the latest Bleeping Computer Week in Ransomware.

From the cyber defenses’ front —

Health IT Security informs us

Enabling multi-factor authentication (MFA) is “the single most important thing Americans can do to stay safe online,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wrote in a CISA blog post.

But Easterly encouraged businesses and technology vendors in particular to go one step further and ensure that FIDO authentication is part of their MFA implementation plans.

“We’ve known for years that any form of MFA is better than no MFA. That’s still true, but we’ve also known that at some point ‘traditional MFA’ would become ‘legacy MFA’ and need to be reassessed or even replaced,” Easterly wrote.

“Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA.”

According to its website, the FIDO Alliance is an open industry association united by the goal of reducing “the world’s over-reliance on passwords.”

The FIDO Alliance has globally available technical specifications and industry certification programs that make authentication simpler and more secure.

Security Magazine provides an overview of cyber defenses drawn from an IBM report.