Cybersecurity Saturday

David ErmerCybersecurity

Cyberscoop reports

The Senate cleared legislation Thursday evening that would make the Cybersecurity and Infrastructure Security Agency (CISA) a hub to receive mandatory industry reports about major cyber incidents and ransomware payments, as well as boost its budget 22% over last year.

Security Week adds

[The new law] requires any entity that’s considered part of the nation’s critical infrastructure, which includes the finance, transportation and energy sectors, to report any “substantial cyber incident” to the government within three days and any ransomware payment made within 24 hours.

[It] also empowers CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

The FEHBlog examined the new’s law definition of a covered entity and it appears to be sufficiently broad to encompass healthcare.

The FEHBlog learned that the cyber reporting provisions are found in Division Y of the Consolidated Appropriations Act, 2022 (the new law’s official name) and the cyber reporting requirements will take effect following CISA promulgation of implementing rules.

In related news, Bleeping Computer reports

The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they’re determined as being a material incident (one that shareholders would likely consider important).

“In some cases, the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date,” the Wall Street watchdog explained.

According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K.

The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

In cybersecurity business news, the Wall Street Journal informed us on March 8

Google said it reached a deal to buy cybersecurity company Mandiant Inc.for nearly $5.4 billion, aiming to bolster its cloud unit with more cybersecurity offerings at a time when businesses have seen a wave of attacks on their systems.

The deal is the second-largest in history for the Alphabet Inc.GOOG -1.66% unit and comes as the company is facing antitrust lawsuits from the Justice Department and multiple states for allegedly anticompetitive practices. 

In buying Mandiant, Google provides a boost to its cloud business, which is rapidly growing but remains smaller than its key rivals. In the most recent quarter, the business saw revenue rise by about 45% to $5.54 billion, or about 7% of the company’s total quarterly revenue.

Thomas Kurian, chief executive of Google Cloud, said that Google wanted to draw from the insights of Mandiant’s threat research in how it applies security solutions to its products, and that the computing giant intended to retain the Mandiant brand. * * *

The companies said the deal is expected to close later this year. Google has faced intense regulatory scrutiny for smaller acquisitions. It took more than a year for Google to close its $2.1 billion acquisition of Fitbit LLC as regulators took a close look at the deal.

From the cyberthreat front, the HHS Cybersecurity Program this past week issued alerts on “PTC Axeda agent and Axeda Desktop Server Vulnerabilities” and a Conti ransomware update. Health IT Security reported on the Conti ransomware update here.

Conti actors typically gain initial access via spearphishing campaigns, stolen Remote Desktop Protocol (RDP) credentials, fake software promoted via search engine optimization, or common asset vulnerabilities.

CISA updated the advisory to include new indicators of compromise, including new domains that had registration and naming characteristics that were similar to those used by Conti in the past.

US organizations, especially in the healthcare sector, should remain on high alert and implement technical safeguards to prevent cyberattacks. Organizations should adopt multi-factor authentication, network segmentation, and frequent vulnerability scanning.

In addition, the advisory recommended that organizations remove unnecessary applications, implement endpoint and detection response tools, restrict access to RDP, and secure user accounts.

In other cybersecurity news, Health IT Security tells us

Although cyberattacks and data breaches have bombarded the healthcare sector in recent years, recent research from Immersive Labs found that healthcare conducts cyber incident response exercises far less than other industries.

Immersive Labs analyzed 35,000 members of the cybersecurity workforce from a variety of industries and found that the healthcare sector conducted only two cyber crisis exercises per year on average. The technology and financial services sectors conducted nine and seven crisis exercises per year on average, respectively.

It makes sense that highly targeted industries like technology and finance would prepare accordingly. But healthcare is an equally high-profile and highly regulated cyberattack target, making the lack of crisis response exercises troubling.