Cybersecurity Saturday

Before it’s too late, here is the Cybersecurity and Infrastructure Agency’s Week 2 website for National Supply Chain Integrity month. Week 2 focuses on Assessing ICT Trustworthiness. The website offers new resources. Check it out.

The Labor Department’s Employee Benefits Security Administration which regulates employer sponsored benefit plans governed by ERISA has created a lengthy, yet helpful, list of cybersecurity best practices for ERISA plans which no doubt could be used by FEHB plans too.

Bleeping Computer informs us today that “Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. “BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability but the 107 other vulnerabilities fixed this month.”

The AP discusses Microsoft’s cybersecurity woes.

Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.

Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.

Curtis Dukes was the National Security Agency’s head of information assurance at the time.

The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.

“People took their eye off the ball.”


Last Wednesday, the Senate Intelligence Committee held an open hearing on worldwide threats and of course the SolarWinds hack was a topic. Here is Cyberscoop’s take on that hearing. The following day per the Wall Street Journal, “President Biden announced retaliatory measures against Russia over election interference, the SolarWinds cyberattack and other malign activity, saying he isn’t seeking to kick off “a cycle of escalation” but would take more drastic action if necessary.” The Journal adds that

The U.S. has punished Russia for election interference in the past, notably after its multipronged operations during the 2016 election. But previous administrations typically refrained from retaliating for cyber intrusions they classified as political espionage—no matter how broad or successful—in part because the U.S. and its allies regularly engage in similar conduct, current and former officials said.

Subsequently, again per the Journal, “Russia said it would expel 10 U.S. diplomats and bar a number of senior U.S. officials from entering the country in response to measures against Moscow.”