Cybersecurity Saturday

From the cybersecurity policy front,

  • The Federal Employees Health Benefits Program has two sets of regulations — OPM’s rules found at 5 CFR Part 890 and because federal procurement contracts create FEHB plans, the Federal Acquisition Regulation (FAR) at 48 CFR Chap. 1 and OPM’s implementing FEHB Acquisition Regulation (FEHBAR)found at 48 CFR Chap. 16. It’s worth noting that the FAR was first issued forty years ago.
  • The Holland and Knight law firm discusses two proposed FAR cybersecurity rules published on October 3, 2023. The first one (FAR Case No. 2021-17) captioned “Cyber Threat and Incident Reporting and Information Sharing will apply to the FEHB Program as it generally imposes obligations on federal contractors. The other rule (FAR Case No. 2021-19 captioned “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” will not apply to the FEHB because carrier systems are not federal information systems. The public comment deadline for the two proposed rules is December 4, 2023.  
  • The National Security Agency announced on October 5, 2023,
    • “The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint Cybersecurity Advisory (CSA) highlighting the top ten most common cybersecurity misconfigurations found in large organizations’ networks. The CSA details tactics, techniques, and procedures (TTPs) that cyber actors could use to compromise these networks, as well as mitigations to defend against this threat. * * *
    • “As indicated in the CSA, these most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise.
    • “Some of the misconfigurations mentioned in the CSA include default configurations of software and applications, weak or misconfigured multifactor authentication (MFA) methods, and unrestricted code execution.
    • “NSA and CISA encourage network defenders and software manufacturers to implement the recommendations found within the Mitigations section of this advisory to reduce the risk of compromise. The agencies also recommend network owners and operators examine their networks for similar misconfigurations even when running other software not specifically mentioned in the advisory.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced on October 4, 2023,
    • “CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.
    • “This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.
    • “Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.”
  • The Health Sector Cybersecurity Coordination Center (HC3) released on October 4, 2023, a sector alert about securing remote access and management software.
    • “Cybersecurity and law enforcement agencies such as CISA, MS-ISAC, CIS, and the FBI have been reporting on increased misuse of remote access software to target organizations and critical infrastructure sectors.
    • “For implications to the Healthcare and Public Health (HPH) sector, remote access solutions keep healthcare professionals connected while also providing increased flexibility and convenience. But the same solutions used to operate, maintain, and secure healthcare systems and networks can also be turned against their own infrastructure. Mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application.”
  • The Health Sector Council released an updated Health Industry Cybersecurity Supply Chain Risk Management Guide – Version 2023 (HIC-SCRiM-v2)
    • The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.

From the cybersecurity breaches and vulnerabilities front,

  • HC3 announced on October 6, 2023,
    • “Cisco recently released an update that fixes a critical vulnerability in their Emergency Responder communications platform, a system that is utilized in the health sector. The exploitation of this vulnerability allows for a cyberattacker to completely compromise a vulnerable system and then utilize it for further cyberattacks across an enterprise network. HC3 recommends healthcare organizations identify vulnerable systems in their infrastructure and prioritize the implementation of this update.”
  • HC3 posted its report on September vulnerabilities of interest to the health sector on October 5, 2023.
    • In September 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for September are from Microsoft, Google/Android, Cisco, Apple, Mozilla, SAP, Fortinet, VMWare, Progress Software, and Adobe.
    • A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
    • HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.
  • CISA added one known exploited vulnerability to its catalog on October 2, another one on October 3, two more on October 4 (and deleted five catalog entries) and three more on October 5, 2023.

From the cybersecurity defenses front,

  • Cybersecurity Dive discusses what to consider when choosing cybersecurity providers.
  • Dark Reading proposes “five steps [by which] organizations can develop stronger security practices and make the inevitable breaches inconsequential.
  • An ISACA expert explains how to comply with multiple security standards and frameworks.
  • Another ISACA expert discusses common privacy dark patterns and ways to improve digital trust.