Cybersecurity Saturday

From the cybersecurity policy front —

Health IT Security informs us

President Biden issued a proclamation declaring November as Critical Infrastructure Security and Resilience Month. The President highlighted ways in which the Administration has taken action to protect critical infrastructure from cyber and physical threats and underscored the importance of security awareness and action to maintain critical infrastructure resilience.

The Cybersecurity and Infrastructure Security Agency applauded the President’s action.

Throughout November, CISA will be bringing the world of infrastructure security and resilience to life with interviews and blogs featuring CISA staff and external industry partners, as well as other activities. We encourage everyone to visit CISA’s Infrastructure Security Month webpage for more information and resources. Be sure to follow CISA on social media throughout the month for resources, tools, and tips you can use to help identify and reduce risk to infrastructure facilities, their internet and operational technology systems, employees, visitors and more.

Cybersecurity Dive adds

Officials at the Cybersecurity and Infrastructure Security Agency are optimistic that U.S. companies will embrace its efforts to boost cooperation on raising cybersecurity performance goals, sharing intelligence and building resiliency.  * * *

“We need to ensure that we’re coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves,” [CISA Director Jen] Easterly said during the forum [hosted by the Center for Strategic and International Studies on November 1]. “So [I’m] very excited about what I’m seeing from the technology companies.”

Another objective is to get more large companies to embrace cybersecurity as a corporate governance, not just technology concern, Easterly said.

From the cyber vulnerabilities front

The Healthcare Sector Cybersecurity Coordination Center issued a PowerPoint presentation about Iranian Threat Actors and Healthcare.

CISA added one more known exploited vulnerability to its catalog.

Last Tuesday, CISA announced

OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.

Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, “can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution,” allowing them to take control of an affected system.

CISA encourages users and administrators to review the OpenSSL advisoryblogOpenSSL 3.0.7 announcement, and upgrade to OpenSSL 3.0.7. For additional information on affected products, see the 2022 OpenSSL vulnerability – CVE-2022-3602 GitHub repository, jointly maintained by the Netherland’s National Cyber Security Centrum (NCSC-NL) and CISA.

From the ransomware front

The Wall Street Journal reports

U.S. banks flagged ransomware-related transactions adding up to more than $1 billion in 2021, the Treasury Department said, although risk experts said that barely scratches the surface of cybercrime’s true economic scale.

Data released by the Financial Crimes Enforcement Network, or FinCEN, this week showed the number and value of transactions that banks had flagged as related to ransomware in 2021 reached $1.2 billion, spread across 1,489 reports to regulators. In 2020, such transactions totaled $416 million across 487 reports.

“I think we’re seeing the tip of the iceberg in terms of what these actual payments are,” said Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association, a trade group for banks. 

Wow.

Cyberscoop tells us

On Tuesday [November 1], the White House wrapped up a two-day ransomware summit, where participants agreed to stand up a voluntary International Counter Ransomware Task Force to serve as a base for coordinated disruption and threat sharing. The initiative, which will launch sometime early next year, will start with a fusion center operated out of Lithuania’s Regional Cyber Defense Center as a test case for a bigger information-sharing program.

From the cybersecurity defenses front

HIPAA Journal relates

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach. * * *

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. * * *

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. * * *

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting.

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

CISA released guidance on phishing-resistant multifactor authentication this week. Cybersecurity Dive adds

Phishing-resistant multifactor authentication isn’t just the strongest form of MFA — it’s “the gold standard for MFA,” according to the Cybersecurity and Infrastructure Security Agency.

The federal agency this week published a fact sheet to clarify its definition of phishing-resistant MFA and provide guidance and prioritization schemes for organizations to implement the safeguards in logical phases. 

  • Three key recommendations from CISA.
  • Stick to FIDO standards and the Web Authentication API (WebAuthn) protocol.
  • Take stock of your IT systems, determine which platforms support MFA and start there.
  • Roll out phishing-resistant MFA in phases, placing early emphasis on high-value targets and resources.

FIDO standards and the WebAuthn protocol are the only widely available phishing-resistant forms of MFA, according to CISA. The protocol and standard, both developed by the FIDO Alliance, can work together to bolster MFA.