Cybersecurity Saturday

From the cybersecurity policy front, CISA announced the speakers scheduled for its Fifth National Cybersecurity Summit to be held in Atlanta, GA, on October 4, 2022. You may attend in person or virtually. You can register here: CISA’s 5th Annual National Cybersecurity Summit Tickets | Eventbrite There’s no charge to attend this summit.

From the cyberbreach front, Cybersecurity Dive reports “Uber details how it got hacked, claims limited damage; While there’s no evidence the rideshare company’s codebase was altered, the attacker did gain access to Slack, vulnerability reports and financial data.” The FEHBlog called attention to the Uber breach in last week’s post.

From the cybervulnerability front

  • Health IT Security informs us, “The Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare sector of a new monkeypox-themed phishing scheme targeting healthcare providers.”
  • HC3 also released a PowerPoint presentation on a Chinese State-Sponsored Threat Act APT41 and recent activity.
  • CISA added another known exploited vulnerability to its catalog.
  • Vulture Beat discussesKeeper Security[‘s] * * * second annual 2022 U.S. Cybersecurity Census Report, which maps the transforming landscape of cybersecurity based on expert insights from 500+ IT decision-makers in U.S. businesses. This year’s findings clearly show that while cybersecurity is a key priority, staying a step ahead of bad actors is a continuous challenge -– and many businesses are not keeping pace. According to survey respondents, U.S. businesses experience 42 cyberattacks each year. Of those, about three cyberattacks are successful. The overwhelming majority of respondents expect the total number of attacks will increase over the next year, with 39% predicting the number of successful cyberattacks will also increase.
  • CISA announced that “Microsoft has released a security update to address a vulnerability in Microsoft Endpoint Configuration Manager, versions 2103-2207. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Microsoft’s Security Advisory for CVE-2022-37972 and apply the necessary updates.

From the ransomware front, all we have this week is the Bleeping Computer’s reliable and comprehensive The Week in Ransomware.

From the cyberdefenses front, the FEHBlog was very impressed by the Wall Street Journal article about zero-trust architecture.

The companies that should know best how to fight hackers, tech firms, have reached an arresting conclusion: The weakest link in security, as it’s been since the Trojan War, is humans.

Increasingly, they are taking a new approach: Trust no one.

The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in. So companies need to make sure that even users inside a network can’t do serious damage. * * *

“Zero trust is based on the idea that you don’t trust anything in your system anymore,” says Anshu Sharma, chief executive of Skyflow, a startup that uses zero-trust principles to safeguard personal data for other companies. “Just because you’re in the building, you don’t get access to important stuff.” 

Many of the design principles that guide engineers building zero-trust systems are easy to understand. If you’ve found yourself having to log back into corporate systems or your bank’s website more often of late, that’s a version of the zero-trust tactic of regularly “rotating” the credentials that allow people and computers to access other systems. The idea is that even if attackers got in with your account, they’d have limited time to do damage.

Another zero-trust principle, known as behavioral analysis, is that software should monitor the behavior of those on a network and flag anyone doing something unusual, like trying to make an extra-large bank withdrawal. (This is the same kind of analysis that leads your bank to send you a text if you make an out-of-character credit-card purchase, for example, when you’re traveling to a new city.)

The consistent theme is that every component of a system should be skeptical, even if you’ve identified yourself and gained access, that you are who you say you are and are doing what you should be doing.