Cybersecurity Saturday

David ErmerCybersecurity

From the cyber breaches front —

  • Health IT Security reports that the recent DC Healthlink data breach resulted from unspecified human error.
  • Cybersecurity Dive informs us,
    • “NCR, a payments processor that offers point-of-sale systems to restaurants and retailers, digital banking and ATM services, is still responding to and recovering from a ransomware attack that began impacting systems on April 12.
    • “The cyberattack caused a data center outage that is impacting some functionality in Aloha, a POS used by restaurants, and Counterpoint, which integrates front- and back-office management systems for retailers, NCR said in an incident report update Monday. The company first publicly disclosed it was hit by a ransomware attack on April 15.”
  • Health IT Security adds,
    • The average cost of a healthcare ransomware attack was $4.82 million in 2021, according to IBM Security’s “Cost of a Data Breach Report.” In a new report by ThreatConnect, the cyber threat intelligence company suggested that there is more to be discovered about the true cost of a ransomware attack.
    • “[T]hat average attack figure takes into account a large number of incidents that cost relatively little (less than $25k) and a few that cost a lot,” the report stated. “The question is—does the average apply to you?”
    • “ThreatConnect analyzed thousands of companies in the manufacturing, healthcare, and utility industries in order to estimate median losses to operating incomes.”
  • According to Cybersecurity Dive,
    • “Premiums for stand-alone cyber insurance rose by 62% in 2022 following a 91% increase in the prior year, according to a recent report by Fitch Ratings.
    • “The deceleration was driven by a moderation of ransomware incidents, a heightened level of cyber risk awareness among corporate executives, and more strict enforcement of cyber hygiene standards by insurance companies, according to Fitch.
    • “You will likely see rates decelerate further,” Gerald Glombicki, a senior director in Fitch Ratings insurance group, said in an interview.”

From the cyber vulnerabilities front —

  • The Health Sector Cybersecurity Coordination Center released its March 2023 vulnerabilities report.
    • “In March 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Administration (CISA) added two, one, and three known exploited vulnerabilities to its catalog.
  • CISA and other federal agencies issued a joint advisory about “APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy), a highly skilled threat actor” that “accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. “
  • Cybersecurity Dive tells us,
    • “Threat actors can use ChatGPT to sharpen cyberthreats, but no need to panic yet
    • “Startling dangers, such as autonomous attack mechanisms and sophisticated malware coding, have yet to materialize. For now, the threat is more specific.”

From the ransomware front

  • Here’s a link to the latest Bleeping Computer Week in Ransomware.

From the cyber defenses front —

  • The Department of Health and Human Services announced
    • “On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector:
    • Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
    • Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
    • Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).”
  • Forbes points out
    • “Cyber investments have become table stakes for businesses around the world. Cybercrime is increasing, with 91% of organizations reporting at least one cyber incident in the past year. Not only are they growing in numbers, but they are becoming more sophisticated and diverse, with new threats constantly emerging. According to the 2023 Deloitte Global Future of Cyber survey, in this environment, business leaders are changing how they think of cyber, and it’s emerging as a larger strategic discussion tied to an organization’s long-term success.
    • “Today, leaders should consider how to work cyber into every part of their business—from operations to the employee and the consumer. By creating business strategies that embed cyber, improve employee training, and build cyber into digital transformation initiatives; businesses can stay ahead of the curve and better protect their organizations. [The linked article explains] how some leaders are rethinking their approaches to cyber to help drive long-term growth for their companies.”
  • Cyberscoop reports
    • “Some of the biggest names in modern computing — including a winner of the prestigious Turing Award — are betting on a new type of operating system they say will be resilient against common cyberattacks and bounce back from ransomware infections within minutes. 
    • “Those are bold claims. But the people behind the project include Michael Stonebraker, a serial tech entrepreneur and computer scientist at the Massachusetts Institute of Technology whose groundbreaking work on database systems earned him the Turing honor in 2015. He’s teaming up with Matei Zaharia, an associate professor at Stanford University and creator of the Apache Spark project, and Jeremy Kepnew, head of the MIT Lincoln Laboratory Supercomputing Center.
    • “It’s a total new paradigm,” said Michael Coden, associate director of cybersecurity at MIT Sloan School of Management, who took a part-time position at Boston Consulting Group as senior adviser in order to help lead the database-oriented operating system, or “DBOS” for short. “
    • “Stonebraker and Coden plan on demonstrating the open-source operating systems during the RSA Conference, the annual cybersecurity gathering San Francisco, next week and show in real time how it will bounce back from a simulated ransomware attack.”
  • The NIST Cybersecurity and Privacy Program made available,
    • “The initial public draft of NIST Special Publication (SP) 800-207A, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments, is now available for public comment.
    • “Enterprise application environments consist of geographically distributed and loosely coupled microservices that span multiple cloud and on-premises environments. They are accessed by a userbase from different locations through different devices. This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.”
    • The public comment deadline is June 7, 2023.