Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • We learn from Cybersecurity Dive that
    • Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
    • “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said. 
    • Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.
  • Per Fedscoop,
    • “New policy guidance is coming soon to help agencies comply with the Federal Risk and Authorization Management Program (FedRAMP) as the cloud landscape evolves, according to the federal government’s No. 2 IT official.
    • “Drew Myklegard, deputy federal CIO, said Thursday at FedScoop’s FedTalks that the forthcoming guidance comes as the federal cloud marketplace has evolved to be more dominated by software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings. 
    • “The landscape has changed. SaaS — and now it’s heavy, heavy SaaS — and a lot of PaaS providers really need access to the government and their mission. So now we’re pivoting and it takes a couple of years to do that, but we’re pivoting towards that market,” Myklegard said.
    • “He continued: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “A record year for cyberattacks on U.S. hospitals is putting patients in danger, as hospitals struggle to cope with disabled equipment and frozen data, an official from the American Hospital Association warned Thursday.
    • “Hackers, especially ransomware groups, are routinely taking down medical applications and internet connections, and freezing up patient and operations data, John Riggi, national adviser for cybersecurity and risk at the AHA, said, speaking at a meeting of the Healthcare Information and Management Systems Society. 
    • “Email and phones go down. Backup computers generally don’t work or have only about three days of data on them,” Riggi said. “We have seen this consistently,” he told the audience of healthcare technology and cyber leaders.”
  • The American Hospital Association adds,
    • “The U.S. Treasury Department, in coordination with the United Kingdom, Sept. 7 sanctioned 11 individuals who are part of the Russia-based Trickbot cybercrime group, whose targets have included hospitals and other critical infrastructure organizations. The Department of Justice also unsealed indictments against nine individuals in connection with Trickbot malware and Conti ransomware, including seven of the sanctioned individuals. According to the agencies, the Trickbot group in 2020 launched a wave of ransomware disruptions against U.S. hospitals and health care facilities, in one case deploying ransomware that disrupted computer networks and telephones at three Minnesota facilities and caused them to divert ambulances.”  
  • Last week, the Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog
  • Cybersecurity Dive points out
    • “A consumer signing key that caused security headaches for Microsoft earlier this year was exposed in an April 2021 crash dump, the company said Wednesday. A China-based threat group behind attacks later used the key to compromise more than two dozen customers, including U.S. State Department emails earlier this year. 
    • “Microsoft disclosed the crash dump, which redacts sensitive information, as part of an internal investigation into how the consumer signing key was left exposed. The threat group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer following the crash dump,
    • “The threat group stole sensitive emails from the State Department and reportedly U.S. Commerce Secretary Gina Raimondo.”
  • Per Krebs on Security, “Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach.”

From the ransomware front,

  • Security Week reports,
    • “Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.
    • “Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks. 
    • “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory.”

From the cybersecurity defenses front,

  • Cybersecurity Dive identifies the top five behaviors of successful CISOs thanks to Gartner Research.
  • Dark Reading discusses three strategies to defending against “resurgent info stealers.”
  • An ISACA experts explores using near-miss incidents are risk indicators.