Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front —

Homeland Security Today reports
- “This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems.
- “The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”

Cybersecurity Dive tells us,
- The Biden administration released its implementation plan for the national cybersecurity strategy Thursday, delegating cyber initiatives to a smattering of government agencies.
- The plan, which is designed to guide the government’s completion of the national cybersecurity strategy, comes four months after the policy blueprint was unveiled.
- “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Kemba Walden, acting national cyber director, said Wednesday during a press briefing.
- “Fundamentally, we are publishing this plan because we will only achieve our goals with a whole-of-society approach,” Walden said. * * *
- The 57-page document divides the five pillars and 27 objectives of the national cybersecurity plan into a broader series of initiatives.
- While the implementation plan calls for the majority of initiatives to be completed before the end of fiscal year 2024, 11 are slated to be done in FY23, which closes at the end of September.

Cyberscoop adds
- “As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner-operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
- “In pushing for one big set of regulation for all critical infrastructure, you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
- “And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.”

The Wall Street Journal points out,
- “The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials.
- “The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the past few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.”

In sum, crafting an effective cybersecurity strategy is a tall order.

From the cybersecurity vulnerabilities and breaches front —

Bleeping Computer reported on July 11,
- “HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
- “HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
- “As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
- “The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
- “The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
- “However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.”

Cybersecurity Dive offers an update on the slow-moving MOVEit file transfer disasters.
- “More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.”

Speaking of zero-day vulnerabilities, Security Week reported on July 11
- “In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
- “Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.”

The Cybersecurity and Infrastructure Security Agency (CISA) added five known exploited vulnerabilities to its catalog on July 11 and two more on July 13.

On July 13, CISA and the FBI released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.

HHS’s Health Sector Cybersecurity Coordination Center released its report on June Vulnerabilities of Interest to the Health Sector.
- “In June 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for June are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

HC3 also posted a PowerPoint titled “Artificial Intelligence, Cybersecurity and the Health Sector.”

Health IT Security points out
- The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a new publication entitled “Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP).”
- HIC-CHIRP provides healthcare organizations with a template for navigating a coordinated incident response when faced with disruptive cyber incidents. Specifically, the publication seeks to address healthcare-specific gaps in existing incident response resources.

In ransomware news,

Bleeping Computer lets us know,
- “Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
- “According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.”

From the cybersecurity defenses front —

CSO Online shares best practices for an effective cybersecurity strategy.

Tech Republics discusses Gartner’s 2023-24 cybersecurity outlook.

Forbes offers twenty cybersecurity training tips designed to make the training “stick.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog