Cybersecurity Saturday

From Capitol Hill, Security Week reports

Two bipartisan cybersecurity bills were signed into law on Tuesday, June 21, 2022, by US President Joe Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.

The Federal Rotational Cyber Workforce Program Act, which has been around since 2018, proposes a program under which certain federal employees can be temporarily moved to other agencies in an effort to boost their skills.

Agencies can determine whether a position involving IT or cybersecurity is eligible for the program. The Office of Personnel Management is tasked with creating an operation plan, and the Government Accountability Office must assess the effectiveness of the program.

The State and Local Government Cybersecurity Act of 2021, is meant to improve collaboration between the Department of Homeland Security and state, local, tribal and territorial governments.

From the cyber vulnerabilities front —

Health IT Security informs us

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

In healthcare, evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange. In addition, providers are increasingly implementing APIs to comply with the CMS Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard is quickly gaining recognition in the health IT space.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

“These estimates provide a view on losses that are entirely avoidable,” the report suggested.

“If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”

Cybersecurity Dive tells us

Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.

The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren’t applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting. 

Cybersecurity Dive adds

Two of every five organizations don’t have strong confidence in their open source software security, according to a joint study from The Linux Foundation and Snyk, a firm that specializes in developer security. Just half of organizations actually have a security policy related to open source development or usage, the research showed. 

The average application development project has 49 vulnerabilities and 80 direct dependencies, according to the report. 

The time required to fix vulnerabilities in open source more than doubled to 110 days in 2021, compared with 41 days during 2018, the report found.

From the ransomware front, we have a link to the latest Bleeping Computer’s The Week in Ransomware.

The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation.

Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month.

The members are now long spread out in smaller cells among different operations, making it more challenging to target the crime syndicate.

From the cyber defenses front, ISACA reports on “Why (and How to) Dispose of Digital Data.”