Cybersecurity Saturday

From the cybersecurity policy front —

  • Defense One reports,
    • “By November, Pentagon cybersecurity leaders aim to lay out just how private contractors will be expected to work with government agencies to safeguard data and ward off attacks.
    • “We are working on a strategy—a [defense industrial base] cybersecurity strategy—that we hope to have out later this year,” David McKeown, DOD’s chief information and security officer, said at GovExec’s Cyber Summit event Thursday. “Our strategy is bringing all of the pieces and parts within the department together…laying it out who’s going to be doing what, and we overlay everything on top of the NIST cybersecurity framework.”
    • “Lawmakers requested the strategy as a step toward reducing the vulnerabilities created by doing sensitive business with hundreds of thousands of private contractors.”
  • Cyberscoop tells us,
    • “Lawmakers on Wednesday [May 17, 2023] passed a series of bills to give the Cybersecurity and Infrastructure Security Agency new responsibilities when it comes to safeguarding open source software, protecting U.S. critical infrastructure and expanding the cybersecurity workforce. 
    • “The Senate Homeland Security and Governmental Affairs Committee advanced a bill that would require CISA to maintain a commercial public satellite system clearinghouse and create voluntary cybersecurity recommendations for the space sector. Additionally, the committee advanced legislation requiring CISA to create a pilot civilian cyber reserve program to respond to incidents.
    • “The House Homeland Security Committee advanced legislation that would require CISA to work with the open source community to better secure it as well as create a framework to assess the general risks of open source components for federal agencies. The House advanced another bill that would give CISA the authority to train employees at DHS that aren’t currently in cybersecurity positions to move to such a role.”
  • Health IT Security adds,
    • “At a House Committee on Energy and Commerce hearing held on May 16, 2023, experts from the energy, water, and healthcare sectors testified on how sector-specific agencies within critical infrastructure are taking steps to protect their industries from cyberattacks.
    • “Each of the 16 critical infrastructure sectors has a designated Sector Risk Management Agency (SRMA) that is responsible for managing threats faced by each sector. The hearing gave committee members a chance to explore how various federal agencies work to secure critical infrastructure against cyber threats, assess their responses to emerging threats, and learn more about the roles and responsibilities of each agency.
    • “Brian Mazanec, PhD, deputy director at the HHS Administration for Strategic Preparedness and Response (ASPR) Office of Preparedness, delivered both a spoken and written testimony to the committee on the growing threats facing the healthcare sector and the role of HHS in mitigating these threats.
      • HHS is working diligently to strengthen cybersecurity and address the impacts of cyberattacks on the healthcare system. As we move forward, there are additional authorities and resources that would advance ASPR’s ability to fully implement its plan to bolster HHS’s Cyber Sector Risk Management Agency (SRMA) activities. For example, we are in the process of establishing a dedicated Cyber Division within ASPR’s Office of Critical Infrastructure Protection. If ASPR is granted direct hire authority, as requested through the Pandemic and All-Hazards Preparedness Act (PAHPA) reauthorization process, we would be able to bring critical staff with cyber expertise into the organization more quickly and move forward to address challenges without delay. We would also be better positioned to immediately expand and enhance our efforts as the SRMA lead for the HPH sector. Additionally, we are looking to establish a new HHS cyber incident ticketing system to better track incidents and strengthen threat intelligence sharing through embedded liaisons within CISA and the FBI. Dedicated resources are needed to implement and operate supporting systems, as included in the FY 2024 President’s Budget request. We continually assess and identify whether any additional authorities are needed to support our 

From the cyber vulnerabilities and breaches front —

  • The Health Sector Cybersecurity Coordination Center issued its April 2023 Cybersecurity Vulnerability report.
    • In April 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.
  • Dark Reading points out three ways hackers use ChatGPT to cause security headaches.
  • MeriTalk informs us
    • “The Department of Transportation (DoT) is investigating a data breach affecting administrative systems at the department, an agency spokesperson confirmed to MeriTalk today.
    • “According to a Reuters report, DoT notified Congress of the data breach on Friday, which exposed the personal information of about 237,000 current and former Federal government employees. * * *
    • “DoT did not say when the hack was first discovered or who might be responsible for it.
    • “DoT is the latest agency to face a data breach after the U.S. Marshals Service (USMS) responded to a ransomware attack and data breach in February that compromised sensitive law enforcement information.”
  • Dark Reading adds
    • “PharMerica Healthcare has disclosed that its systems were breached earlier this year by an unauthorized third party, which resulted in the leak of the personal details of more than 5.8 million deceased people.
    • PharMerica provides pharmacy services for patients under long-term care, including those in senior living facilities, hospice care, and using behavioral health services.”

From the ransomware front,

  • Cyberscoop and Healthcare Dive reports
    • “A new and highly active ransomware threat actor, RA Group, is targeting organizations in the manufacturing, finance, insurance and pharmaceuticals sectors, researchers at Cisco Talos said Monday.
    • “Within a week of its emergence on April 22, RA Group compromised three organizations in the U.S. and one in South Korea. The group listed its first three victims on its leak site on April 27 and added a fourth victim on April 28, according to Cisco Talos.
    • “Initial victim organizations have had their data encrypted and stolen, a form of double extortion designed to increase pressure on the organizations to pay the ransom.
  • CISA announced
    • CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory.
      To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).
  • Here’s this week’s link to Bleeping Computers Week in Ransomware.
  • Cybersecurity Dive provides guidance on why and how to report a ransomware attack.

From the cyber defenses front —

  • The Wall Street Journal reports on how tabletop exercises can improve cyber preparedness, while Cybersecurity Dive tells us,
    • Corporate programs designed to boost the cyber resilience of employees are falling short on their goals, with more than half of cybersecurity leaders saying their workforce is not prepared for an attack, according to an Osterman Research report sponsored by Immersive Labs
    • At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack. Priority tasks might include operating without core IT systems and switching to manual processes to get important tasks completed. 
    • “There is an unfortunate disconnect between leaders’ confidence in team preparedness and real cyber resilience,” Max Vetter, VP of cyber at Immersive Labs, said via email. “This is because legacy training measures attendance, not real capabilities.”