Happy Juneteenth. Cyberscoop reports that

The Senate on Thursday confirmed Chris Inglis as the new White House cyber czar, a role it enacted into law late last year.

The new role will play a key part in coordinating the government response to major hacks and other cybersecurity threats. Inglis takes on the position as the U.S. has dealt with an onslaught of cybersecurity incidents, including ransomware attacks on Colonial Pipeline and meat supplier JBS. The national cyber director will also lead the implementation of cyber policy and strategy, including efforts mandated by the Biden administration to improve federal cybersecurity.

The Wall Street Journal informs us

The private sector in the U.S. must do more to defend against cyberattacks, lawmakers from both major parties stressed Thursday as several senators introduced legislation designed to target hackers. The ransomware incident that brought operations at Colonial Pipeline Co. to a standstill for six days starting May 7, and resulted in fuel shortages across Southeastern states, shows that cybersecurity efforts must improve, said Sen. Sheldon Whitehouse (D., R.I.). “Partly, it’s the national cybersecurity establishment that needs to step up its game. And partly, it’s the corporate community that has been caught with its figurative trousers down,” Mr. Whitehouse said, speaking at a press conference Thursday with Sens. Lindsey Graham (R., S.C.) and Richard Blumenthal (D., Conn.)

* * *

Christopher Roberti, senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce, which says it is the world’s largest business association, said companies don’t stand a chance against determined nation-state attacks regardless of cybersecurity investments. Partnerships between the government and the private sector are essential, he said. “Businesses must take necessary steps to ensure their cyber defenses are robust and up to date, and the U.S. government must act decisively against cyber criminals to deter future attacks. Each has a role to play and both need to work closely to do more,” Mr. Roberti said.

Federal News Network offers an interesting interview with Chris Golden, director of Information Security at Horizon Blue Cross Blue Shield of New Jersey and a founding member of the Defense Department’s Cybersecurity Maturity Model Certification accreditation program. Of note

Tom Temin [FNN]: And then there’s also hints that the CMMC program could spread to the civilian agencies, and therefore some unknown number of additional or marginal numbers of companies added into the mix. So then you’ve got more scaling issues.

Chris Golden: You’ve already seen Department of Homeland Security and the General Services Administration (GSA) put in what I would call contingency CMMC clauses in their contracts, they basically say, “Hey, we may change this contract to include a CMMC requirement. We’ll let you know after you sign” – it kind of thing. So these other government agencies are leaning in that direction, I think it’s probably going to be pretty obvious that most of them will go there. And eventually, it’ll be a whole of government approach. And then I think you’ll start seeing it go to people that don’t do any contracting with the government, right? Once the regulators start looking at and going, hey, in healthcare let’s say – that’s the area I work in – maybe a regulator says, “Well, maybe I’ll take a SOC 2 type 2 audit this year, but next year, maybe the CMMC thing is what I really need? Maybe that’s a better approach to managing risk?” And so once you see that happen, you’ll see sort of grow and balloon, and then we haven’t even talked internationally as our international partners, who do participate in the supply chain and will have to be CMMC-assessed but how do they fit into this sort of big puzzle as it sort of goes global? So yeah, there’s a potential here for a huge ballooning of this thing.

It would not be a true Cybersecurity Saturday post without a link to Bleeping Computers “This Week in Ransomware” post:

Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.

It was a good week for law enforcement, with Ukrainian police arresting members of the Clop ransomware gang and the South Korean police arresting computer repairment installing ransomware.

We also saw some interesting research released on LockBit and the Hades ransomware, as well as an updated Avaddon Ransomware decryptor that can decrypt more victims’ files.

Finally, President Biden met with Russian President Putin to discuss the recent cyberattacks. Whether something changes from that meeting is too soon to tell.

Also here’s a link to a nifty article with cybersecurity tips. Tech Republic informs us about a “new IBM global report examining consumer behaviors finds an average of 15 new online accounts were created and 82% are reusing the same credentials some of the time.”

Ramsonware remained on the front pages this week. Bleeping Computer’s This Week in Ransomware tells us that

It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.

This week’s biggest news was the FBI announcing that they were able to recover the majority of the $4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but it is believed DarkSide stored it on a seized server.

We also learned that JBS paid $11 million to the REvil ransomware operation to retrieve a decryptor and prevent stolen files from being leaked.

In a bit of good news, the Avaddon ransomware operation shut down and released the decryption keys of close to 3,000 victims to BleepingComputer. Using these, cybersecurity firm Emsisoft was able to release a free decryptor.

Finally, news broke this week that memory maker ADATA and food services supplier Edward Don suffered ransomware attacks.

The Wall Street Journal reports in greater detail on the FBI’s recovery of a portion of the Colonial Pipeline Bitcoin ransom and a “ruthless’ cybersecurity gang knowns as RYUK which targets healthcare providers, after banks tighten up their security.

Cyberscoop discusses the Senate confirmation hearings last week for President Biden’s two top level cybersecurity nominations, Jen Easterly to lead the Department of Homeland Security’s cybersecurity agency, and Chris Inglis to be the national cyber director.

The nominees labeled ransomware a “scourge” that threatens national security, vowed to work with critical infrastructure firms to improve their defenses, and wondered aloud if additional federal regulations were necessary to incentivize firms to reduce their vulnerabilities to hacking.

The U.S. government, Inglis said, must “seize back the initiative that has too long been ceded to criminals and rogue nations who determine the time and manner of their transgressions.” He called on the U.S. and its allies to “remove the sanctuary [to ransomware criminals] and bring to bear consequences on those who hold us at risk.”

Easterly spoke with similar urgency: “We’re now at a place where nation-states and non-nation-state actors are leveraging cyberspace largely with impunity to threaten our privacy, our security and our infrastructure.”

Govinfo Security informs us that

As the federal government hammers out national infrastructure legislation, implements President Biden’s recent cybersecurity executive order and adopts other related initiatives, more attention and funding needs to be allocated to strengthen the healthcare sector’s cybersecurity posture and resilience, some industry groups urge.

In a letter Wednesday addressed to Biden, but also copied and sent to Senate and House party leaders, the Healthcare and Public Health Sector Coordinating Council requested heightened collaboration between industry and government to provide a road map for driving improvements to the cybersecurity readiness of the healthcare sector.

HSCC, a private-sector critical infrastructure advisory council to the Department of Health and Human Services created by Presidential Policy Directive 21 in 2013 during the Obama administration, represents more than 300 healthcare sector organizations, including patient care delivery networks, health plans, laboratories and health IT vendors.

Ars Technica reports on the long tail of ransomware attacks.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The article directs concerned readers to the Have I Been Pwned website which aggregates breach information as a service to consumers.

In that regard, ISACA reminds us about the important role that data destruction policies play in maintaining cyber hygiene.

The Wall Street Journal reports on its interview with FBI Director Christopher Wray

FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia, and compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Mr. Wray said in an interview Thursday. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Mr. Wray’s comments—among his first publicly since two recent ransomware attacks gripped the U.S. meat and oil-and-gas industries—come as senior Biden administration officials have characterized ransomware as an urgent national-security threat and said they are looking at ways to disrupt the criminal ecosystem that supports the booming industry. Each of the 100 different malicious software variants are responsible for multiple ransomware attacks in the U.S., Mr. Wray said.

In that regard, Cyberscoop informs us about the latest moves in a long dance between the feds and private sector over cybersecurity, with a tempo that has hastened considerably since the Colonial Pipeline ransomware attack, and Bleeping Computer offers its latest week in ransomware report.

Earlier this week, Scripps Health, the San Diego health system, accounted for the protected health information losses, totally 147,000 patient records, that it incurred in its early May ransomware attack.

The FEHBlog shares the American Hospital Association’s sentiments

White House issues memo urging vigilance against ransomware threats. The White House today released a memo from Anne Neuberger, Deputy Assistant to President Biden, and Deputy National Security Advisor for Cyber and Emerging Technology, urging business executives to immediately convene their leadership teams to discuss ransomware threats and review corporate security posture and business continuity plans. The memo reiterates high-impact best practices for organizations to adopt: adoption of multi-factor authentication, endpoint detection and response, encryption and deploying skilled, empowered security teams. In addition, the AHA also recommends as high impact having network segmentation in place; tested, offline secure backups; incident response planning; and staff trained to recognize and report phishing emails.
“We are pleased to see the memo from the White House stressing the importance of some fundamental-but-essential cybersecurity measures which most hospitals and health systems already have in place ” said John Riggi, AHA’s senior advisor for cybersecurity and risk. “From AHA’s perspective, equally important to stopping ransomware attacks is the tangible actions the government will take to, as they stated, ‘hold ransomware actors and the countries who harbor them accountable.’ We agree that neither the private sector nor the government can fight this battle alone. We also reiterate, as we did in our testimony before the Senate and our public statements, that defense is only half of the equation which provides the solution to this national security threat.”

ISACA discusses the importance of security risk assessments and risk-informed decision making to cybersecurity protection.

Over the past two weeks, HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules announced its 19th patient right to access records settlement and a Security Rule related settlement.

ISACA provides a summary of the President’s executive order on cybersecurity issued earlier this month.

From the whoops I forgot to patch my system front

• The American Hospital Association reports that “Cyber actors continue to exploit vulnerabilities in the operating system for the Fortinet network security system, the FBI warned [Thursday May 27], noting that a group “almost certainly” exploited a Fortigate appliance this month to access a webserver hosting the domain for a U.S. municipal government. The agency said actors are actively targeting a broad range of victims across multiple sectors. The alert recommends actions to help organizations guard against the threat.” More background on the Fortinet situation is available on ZDNet.
• Bleeping Computer informs us that “A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network. * * * The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. * * * Because of the critical severity, organizations across the world rushed to install the patches and in less than a month about 92% of the vulnerable on-premise Microsoft Exchange servers received the update.”
• Here is a link to the Bleeping Computers’ This Week in Ransomware for May 28, 2021.
• Also for MacOS users like the FEHBlog, Fortune reports that that “A newly discovered flaw in the macOS operating system could allow intruders to take screenshots, record video, or access files on a hard drive without the machine owner’s knowledge. * * * A type of malware, dubbed XCSSET, which was first discovered last year, has found a way to use permissions obtained by other apps to bypass TCC, giving it broad access to infected Macs. * * * Apple already has issued a patch to keep XCSSET from using this vulnerability and is encouraging anyone running macOS 11.4 or later to download it immediately.”

From the phishing front, Security Week alerts us that

The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.

The latest attacks were analyzed by Microsoft, which tracks the threat actor as Nobelium, and by incident response firm Volexity, which has found some links to APT29, a notorious cyberspy group previously linked to Russia.

The campaign appears to have started on May 25 and Microsoft said it involved malicious emails being sent to roughly 3,000 accounts across over 150 organizations in 24 countries. The highest percentage of emails went to the United States, but Volexity also saw a significant number of victims in Europe.

Targeted organizations include government agencies, think tanks, NGOs, and consultants. Microsoft said at least a quarter of the targets are involved in human rights and international development work.

 Meanwhile Fortune reports that

Several cyber security startups like IronScales and Vade Secure are using machine learning to spot phishing emails. Venture capitalists are betting that these startups will eventually become big businesses.

Tessian co-founder and CEO Tim Sadler said that his startup analyzes a company’s corporate emails to discover patterns, such as common email addresses that people correspond with, which could indicate that they are messages to customers, for instance. The company then uses this data to train a machine-learning model, which can scan emails and flag those that are suspicious before employees click on them. 

The machine learning system also displays the reasons why it suspects an email is fraudulent, such as it featuring a strange web link or misspellings of employee names. * * *

One challenge facing companies trying to combat phishing is the rise of more realistic attacks aided by advances in natural language processing, a subset of A.I. that involves computers creating and understanding text. Bishop said that advances in powerful language models like OpenAI’s GPT-3 systemcould lead to criminals more easily creating phishing emails that appear to be personalized to particular recipients. For instance, such an email could contain an A.I.-generated message in which the writing style is similar to a worker’s boss, making it harder to spot a fraud. 

As a result, Tessian, and other companies, are on a quest to improve their A.I. to detect more advanced A.I.-powered phishing attacks, which could one day be as “prevalent as spam,” {Tessian co-founder and chief technology officer Ed] Bishop said.

It has been another crazy ransomware week as reflected in Bleeping Computer’s weekly update headlined “Healthcare Under Attack.”

The Wall Street Journal in an article about why the Colonial Pipeline paid ransom quotes “Ciaran Martin, the former head of the National Cyber Security Center, the British government’s cybersecurity agency.”

“There are three problems contributing to the ransomware crisis,” Mr. Martin said. “One is Russia sheltering organized crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals.”

In that regard, Cyberscoop and the American Hospital Association report on the Conti ransomware gang which last week struck Ireland’s health system. Here is a link to the FBI’s May 20 alert on the Conti gang.

STAT and Becker’s Health IT brings us up to date on the May 1 ransomware attack on Scripps Healthcare in San Diego which was eclipsed publicly by the ransomware attack against Colonial Pipeline. The articles illustrate how these attacks have a lot of ramifications that can’t be cleaned up overnight.

ISACA and Security Boulevard provide insights into securing protected health information and other types of confidential data.

And let’s not lose sight of the SolarWinds cyberattack. SecurityWeek reports that

The hackers who carried out the massive SolarWinds intrusion were in the software company’s system as early as January 2019, months earlier than previously known, the company’s top official said Wednesday [May 20]. SolarWinds had previously traced the origins of the hack to the fall of 2019 but now believes that hackers were doing “very early recon activities” as far back as the prior January, according to Sudhakar Ramakrishna, the company’s president and CEO.

Also Wednesday, Ramakrishna apologized for the way the company blamed an intern earlier this year during congressional testimony for poor password security protocols. That public statement, he said, was “not appropriate.” “I have long held a belief system and an attitude that you never flog failure. You want your employees, including interns, to make mistakes and learn from those mistakes and together we become better,” he added. “Obviously you don’t want to make the same mistake over and over again. You want to improve.”

Particularly if you live on the East Coast, the Colonial Pipeline ransomware incident has given you practical familiarity with ransomware. Bleeping Computer provides the latest details on the denouement of the incident.

On Wednesday, President Biden issued an executive order on cybersecurity. Here’s link to the accompanying fact sheet and Nextgov and Cyberscoop also report on the EO. The EO focuses attention on the federal government and its information technology and operations technology contractors. The FEHBlog expects that the EO will kick loose a couple of Federal Acquisition Regulation cases a couple of related FAR cases (2017-013 and 2017-016) that have been under development for going on four years.

Health IT Security reports on “recent federal threat alerts detail ongoing Russian-backed and Avaddon ransomware campaigns targeting global entities, including healthcare and COVID-19 vaccine developers.”

ZDNet informs us that

Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. 

The report, based on 5,358 breaches from 83 contributors around the world, highlights how the COVID-19 pandemic move to the cloud and remote work opened up a few avenues for cybercrime.

Here are some more figures to ponder in the Verizon Business DBIR [which alway worth a gander]:

• 85% of breaches involved a human element.
• 61% of breaches involved credentials.
• Ransomware appeared in 10% of breaches, double the previous year.
• Compromised external cloud assets were more common than on-premises assets in incidents and breaches.

Ransomware attacks remain in the headlines. Today Bloomberg reports

Colonial Pipeline is working to restore operations after a cyber-attack prompted the company to take its systems offline, threatening the supply of refined petroleum products to gas stations in major cities on the U.S. eastern seaboard.

The Washington Post reported that ransomware was used in the attack, citing two U.S. officials it didn’t identify. It wasn’t clear if the attack was carried out by foreign government hackers or a criminal group, the officials told the Post.

Cyberscoop reports on two major ransomware attacks on healthcare organizations — Scripps Health in San Diego and the Kansas based Midwest Transplant Network — which have occurred since the last Cybersecurity Saturday post. Bleeping Computer maintains a log of ransomware attack and issues here.

ZDNet calls attention to “paper by the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) – a coalition of cybersecurity companies, government agencies, law enforcement organisations, technology firms, academic institutions and others – has 48 recommendations to help curb the threat of ransomware and the risk it poses to businesses, and society as a whole, across the globe.”

The FBI offers password guidance in honor of World Password Day which was held last Thursday May 6.

“The following tips may help protect you and your information from a breach:

• Make sure, at the very least, that your email, financial, and health accounts all have different unique passwords and/or passphrases.
• Make sure your password is as long as the system will allow.
• Set up multi-factor authentication for your accounts.
• Don’t allow password ‘hints.’”

In closing here are a few cybersecurity tidbits —

• Cyberscoop reports that “The Department of Homeland Security announced on Wednesday that it intends to hire 200 new cybersecurity professionals by July as the Biden administration aims to curb ransomware attacks affecting U.S. corporations, as well as foreign espionage operations.”
• Fortune informs us that “Cloud rivals Microsoft, Google, and IBM have teamed up on a project to help companies better defend against hackers and other cybersecurity problems. The initiative, announced Thursday, involves tracking and recording attempts by hackers to infiltrate corporate systems. Because each cloud-computing vendor records security incidents differently, companies can have a hard time getting the full picture about the latest cybersecurity attacks, explained Daniel Conroy, chief technology officer for the digital unit of aerospace giant Raytheon, which is also part of the project.”
• Cyberscoop provides the latest on fallout from the SolarWinds hack.

Cyberscoop reports that

The Justice Department is undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals amid a spate of ransomware attacks and supply chain compromises.

“We need to rethink … and really assess are we using the most effective strategies” against such hacking, Deputy Attorney General Lisa Monaco said Friday at the Munich Cyber Security Conference.

In this regard —

• Health IT Security discusses “Healthcare’s Biggest Cybersecurity Blind Spots and Misconceptions — While awareness of the threats facing the healthcare sector has improved, providers have inherent blindspots and misconceptions leaving them exposed to a host of cybersecurity risks.”
• Health Leaders Media explains why “Medical Device cyber-vulnerability casts a cloud over growing use.”
• ISACA asks whether there are ever can be normalcy in cyberspace? “The cycle of conducting hearings after hacks occur, followed by writing laws and spending money, is exhausting. In short, doing the same things yet expecting different results is senseless. Lawmakers must accept the fact, known universally by security practitioners, that all digital devices are vulnerable—they always have been and always will be. Cybersecurity is a technical risk and, for the foreseeable future, the goal must be to make cyberattacks costly for malicious actors.”

Here’s the latest on the SolarWinds hack from the American Hospital Association. (The ISACA article’s author adds “But to categorize SolarWinds as merely a hack is a disservice, as it is now understood to be a major cybercampaign involving an estimated 1,000 nation-state actors.”).

From the ransomware front —

• The New York Times warns “Don’t Ignore Ransomware. It’s Bad.”
• The International Foundation of Employee Benefit Plans sets forth “Five Ransomware Risk Mitigation Strategies” for benefit plan administrators. The FEHBlog adds encrypting data in motion and at rest to that list.

The National Institutes of Standards and Technology is seeking public comments on two cybersecurity documents:

• “NIST is planning to update NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”). NIST’s cybersecurity resources have evolved since SP 800-66, Revision 1, was published in 2008, and stakeholders will benefit from guidance that includes references to these updated resources. The public is invited to provide input by June 15, 2021 for consideration in the update.” 
• NIST’s National Cybersecurity Center of Excellence (NCCoE) has posted for [public] comment a Preliminary Draft of SP 1800-32 (Volumes A and B) on Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.” The public comment deadline is May 24, 2021.

It turns out that this has been that National Supply Chain Integrity month’s theme for this week has been understanding supply chain threats. “Recent software compromises and other security incidents have revealed how new and inherent vulnerabilities in global supply chains can have cascading impacts that affect all users of ICT within and across organizations, sectors, and the National Critical Functions. To help organizations understand these threats and how to mitigate them, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed the Threat Scenarios Report that provides acquisition and procurement personnel and others with practical, example-based guidance on supplier SCRM threat analysis and evaluation.”

Cyberscoops reports that

At least two-dozen U.S. federal agencies run the Pulse Connect Secure enterprise software that two advanced hacking groups have recently exploited, according to the Department of Homeland Security’s cybersecurity agency.

Multiple agencies have been breached, but just how many is unclear. “We’re aware of 24 agencies running Pulse Connect Secure devices, but it’s too early to determine conclusively how many have actually had the vulnerability exploited,” Scott McConnell, a spokesman for DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop on Wednesday.

FireEye, the cybersecurity firm that announced the hacking campaign on Tuesday, said at least one of the two groups had links to China. The suspected Chinese hackers also targeted the trade-secret-rich defense contractors who do business with the Pentagon.

A security fix for the previously unknown software vulnerability exploited by the hackers won’t be available until next month, according to Ivanti, the Utah-based firm that owns Pulse Connect Secure.

FireEye also discovered the SolarWinds hack. Here is a link to the CISA emergency directive on this latest hack.

The Wall Street Journal informs us that

The Justice Department has formed a task force to curtail the proliferation of ransomware cyberattacks, in a bid to make the popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them. In an internal memorandum issued this week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.” * * *

The memo calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.

The task force will consist of the Justice Department’s criminal, national security and civil divisions, the Federal Bureau of Investigation and the Executive Office of U.S. Attorneys, which supports the 93 top federal prosecutors across the country. It will also work to boost collaboration with the private sector, international partners and other federal agencies such as the Treasury and Homeland Security departments.

CSOonline reports that

Faced with increasing payouts and a likely storm of litigation around the recent SolarWinds and Microsoft Exchange server compromises, cyber insurers are facing an “existential battle” for their future, a leading cybersecurity researcher and privacy consultant has warned. Likewise, businesses are grappling with whether to get cyber insurance, over doubts about payouts if attacked from the conflicted cyber insurance industry.

Nevertheless, purchasing cyber liability insurance remains a no-brainer decision in the FEHBlog’s opinion.

Before it’s too late, here is the Cybersecurity and Infrastructure Agency’s Week 2 website for National Supply Chain Integrity month. Week 2 focuses on Assessing ICT Trustworthiness. The website offers new resources. Check it out.

The Labor Department’s Employee Benefits Security Administration which regulates employer sponsored benefit plans governed by ERISA has created a lengthy, yet helpful, list of cybersecurity best practices for ERISA plans which no doubt could be used by FEHB plans too.

Bleeping Computer informs us today that “Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. “BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability but the 107 other vulnerabilities fixed this month.”

The AP discusses Microsoft’s cybersecurity woes.

Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.

Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.

Curtis Dukes was the National Security Agency’s head of information assurance at the time.

The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.

“People took their eye off the ball.”

Interesting.

Last Wednesday, the Senate Intelligence Committee held an open hearing on worldwide threats and of course the SolarWinds hack was a topic. Here is Cyberscoop’s take on that hearing. The following day per the Wall Street Journal, “President Biden announced retaliatory measures against Russia over election interference, the SolarWinds cyberattack and other malign activity, saying he isn’t seeking to kick off “a cycle of escalation” but would take more drastic action if necessary.” The Journal adds that

The U.S. has punished Russia for election interference in the past, notably after its multipronged operations during the 2016 election. But previous administrations typically refrained from retaliating for cyber intrusions they classified as political espionage—no matter how broad or successful—in part because the U.S. and its allies regularly engage in similar conduct, current and former officials said.

Subsequently, again per the Journal, “Russia said it would expel 10 U.S. diplomats and bar a number of senior U.S. officials from entering the country in response to measures against Moscow.”