Cybersecurity Saturday

From the cybersecurity policy front, Cybersecurity Dive tells us

The public-private cybersecurity supergroup, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.

JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday. 

It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.

FedScoop reports

The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

On Thursday [January 24, 2023], NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks. 

The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.

and

The National Institutes of Standards and Technology has issued the first version of its Artificial Intelligence Risk Management Framework that federal agency leaders and lawmakers hope will govern use of the technology.

The Department of Commerce agency Thursday released the initial document, which it emphasized will continue to evolve as the department receives further input from industry and the scientific research community.

Publication of the document comes as the use of AI technology receives increased public attention with the launch of new mainstream tools including Chat-GPT.

In the framework documentNIST sets out four key functions that it says are key to building responsible AI systems: govern, map, measure and manage.

Nextgov informs us

The Office of Personnel Management plans to launch a federal cyber workforce dashboard to provide agencies with a better tool to address workforce needs, according to a demo of the proposed dashboard held during a National Institute of Standards and Technology webinar on Tuesday [January 24, 2023].

An OPM spokesperson told Nextgov the cyber workforce data dashboard is a new tool that will have two versions: a public version looking at governmentwide data and an agency-specific version—where each agency will have a more granular view—to help support their workforce needs. The spokesperson added that OPM has been showing the dashboard to cyber workforce community stakeholders, such as the Office of the National Cyber Director and the Office of Management and Budget.

This past week has been Data Privacy Week. Spiceworks explains how to convert Data Privacy Week to Data Privacy Year. Security provides thoughts and advice from data security leaders. For example

Corey Nachreiner, Chief Security Officer at WatchGuard Technologies:

“Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility.”

From the cyber vulnerabilities front —

Cybersecurity Dive reports

Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday

The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses. 

The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network. 

Health IT Security also offers an article on this topic.

Fortune Magazine alerts us,

As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

Health IT Security reports that “UCHealth and UCLA Health Report Healthcare Data Breaches
The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.”

The Cybersecurity and Infrastructure Security Agency added known exploited vulnerabilities to its catalog — here and here.

Health IT Security adds

Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry’s Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

From the ransomware front, The Wall Street Journal reports

U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

Bravo. Bleeping Computer’s The Week in Ransomware focuses on this important development.

Yesterday [January 26, 2023], an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

Here’s the Justice Department’s press release.

Furthermore, an ISACA expert writes about common misconceptions about ransomware.

From the cyber defense front, the Wall Street Journal provides advice on assessing the likelihood of a ‘Catastrophic” cyber attack, and Security Week explains how to end to password dependency.