Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front —

  • Cyberscoop reports
    • “President Biden on Wednesday nominated Harry Coker, a long-time CIA and National Security Agency official, to serve as the next national cyber director, a choice that elevates a relatively unknown official to take on a high-profile assignment as the president’s leading cybersecurity adviser. 
    • “Coker’s nomination ends a protracted search to replace Chris Inglis, who led the Office of the National Cyber Director until February after leading efforts to draft the administration’s cybersecurity strategy. 
    • “Leading voices in Capitol Hill have urged Biden in recent weeks to nominate Inglis’s deputy, Kemba Walden, who has been serving as the acting director. Despite the support of key lawmakers, the White House passed on elevating Walden to the permanent position — reportedly out of concern that her significant financial debts might hinder her confirmation before the Senate.”
  • The Cybersecurity and Infrastructure Security Agency tells us,
    • “Now that the cross-sector CPGs have been published, CISA is working with Sector Risk Management Agencies (SRMAs) to directly engage with each critical infrastructure sector to develop Sector-Specific Goals (SSGs).  In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector or, materials to assist sector constituents with effective implementation of the existing cross-sector CPGs. Sector-specific goals will be developed by:
    • “Identifying any additional cybersecurity practices not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.  
    • “Providing examples for recommended actions specific to the infrastructure and entities in that sector; and  
    • “Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.  
    • “As there are 16 Critical Infrastructure sectors with varying needs, CISA will be tackling this effort in several phases. The first four sectors CISA is working with include the Energy, Financial Services, IT, and Chemical Sectors. In addition, CISA will be working throughout the year with the Water/Wastewater Sector, Healthcare Sector, and K-12 Subsector on identifying approaches for how organizations in those sectors/subsectors can enhance their cybersecurity posture through the implementation of the existing body of cross-sector goals.”
  • Here is a link to the website for the healthcare sector coordinating council (HSCC), whose work the FEHBlog will begin to track. Surprisingly to the FEHBlog, OPM is not an HSCC member.

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive informs us,
    • “Healthcare continues to be the most expensive industry for data breaches, beating out other sectors for the 13th year in a row, according to research conducted by the Ponemon Institute and published by IBM Security
    • “The average cost of a healthcare data breach reached nearly $11 million in 2023, an increase of 8% from last year and a 53% jump since 2020, the report found. 
    • “Although the healthcare sector faces high levels of industry regulation, expenses accrued from data breaches in the sector were almost double compared to the financial industry, which saw the second-most expensive data breaches at $5.9 million.”
  • Cybersecurity Dive adds
    • “The investigation phase of data breaches is the fastest growing and costliest category of data breach expenses, contributing to the consistent year-over-year increase in costs. Detection and escalation costs jumped almost 10% to nearly $1.6 million per incident, IBM found.
    • “The breadth and depth of incident response investigations are scaling up directly with the overall costs, along with the off tempo of the criminal,” John Dwyer, head of research at IBM Security X-Force, told Cybersecurity Dive.”
  • On a related topic, Cybersecurity Dive lets us know,
    • “Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies, according to the Cybersecurity and Infrastructure Security Agency.
    • “Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year.
    • Valid accounts, including former employee accounts, not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment released Wednesday.
    • Spear-phishing links — malware-laced emails sent to targeted individuals — were responsible for 1 in 3 attacks, the report found.
    • The success rate of these techniques underscores the staying power of the most common methods threat actors use to gain initial access to targeted systems.
  • Cyberscoop relates
    • “Apple on Monday issued its third security update in roughly a month to remedy vulnerabilities exploited in Operation Triangulation, a spyware campaign that researchers say specifically targeted iMessage users in Russia. 
    • “The Russian arm of cybersecurity firm Kaspersky on June 1 revealed the details of a zero-click iOS exploit. The company’s researchers said they discovered it while monitoring the company’s own corporate Wi-Fi network dedicated to mobile devices. The findings were released the same day Russia’s Federal Security Service, or FSB, said it had uncovered an American espionage operation targeting Apple devices in Russia in cooperation with Apple. 
    • “Apple told CyberScoop at the time that it had “never worked with any government to insert a backdoor into any Apple product and never will.”
  • Per Cyberscoop,
    • “Executives, researchers and engineers at big tech companies and startups alike working on artificial intelligence face a growing threat from criminal and nation-state hackers looking to pilfer intellectual property or data that underlies powerful chatbots, the FBI warned on Friday.
    • “The growing risk coincides with the increasing availability of AI tools and services to the general public in the form of products such as OpenAI’s ChatGPT, or Google’s Bard, for instance, as well as the increasing ease and ability for many companies to develop AI language models.
    • “The warning comes two days after FBI Director Christopher Wray and Bryan Vorndran, the agency’s assistant director, cyber division, warned about the distinct AI-related threats from China, which political leaders in the U.S. and Europe have long warned wants to dominate all aspects of AI research and implementation.”
  • Per Security Week,
    • “New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications.
    • “Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user.
    • “These requests are successful because the authentication or authorization of the user submitting the request is not properly validated, the three agencies explain.”
  • CISA added an additional known exploited vulnerability to its catalog on July 25, July 26, and July 27, 2023.
  • Yesterday CISA “published three malware analysis reports on malware variants associated with the exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero-day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.”
  • Also, yesterday, CMS shared its MOVEIt breach notice to Medicare beneficiaries.

From the ransomware front —

  • HelpNet Security points out that “In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.”
  • Here is a link to yesterday’s The Week in Ransomware from Bleeping Computer.
    • “With ransom payments declining, ransomware gangs are evolving their extortion tactics to utilize new methods to pressure victims.
    • “This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.
    • “Clop has begun to create clear websites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.”

From the cybersecurity defenses front —

  • TechRepublic shares cybersecurity defense ideas included in the Ponemon/IBM report.
  • Forbes offers a cybersecurity expert’s view on adopting a new paradigm in cybersecurity stemming from this conundrum:
    • Today, companies that house secure data and information are encountering an accessibility dilemma: On the one hand, they face an increased need for security and privacy of data, particularly as cyber threats become self-generating and more sophisticated. On the other hand, the value in securing assets lies in being able to utilize them, share them, and transact them effectively and efficiently with intended stakeholders so as to improve customer service and attain competitive differentiators. Companies struggle to balance these needs with the imperative to secure these data, particularly in accordance with certain industry standards or digital privacy regulations