Cybersecurity Saturday

From the cybersecurity policy front,

  • The National Institutes of Standards and Technology (NIST) announced,
    • “NIST is issuing one new proposed control and two control enhancements with corresponding assessment procedures for an expedited 2-week public comment period for October 17–31, 2023. All interested users are invited to provide real-time input to SP 800-53 controls, participate in public comment periods, and plan for future changes to the catalog at the website for Public Comments on SP 800-53 Controls. Review and submit comments on the proposed new control and enhancements by selecting the “Candidates” button. 
    • “NIST will also issue a patch release — SP 800-53 Release 5.1.1 — in early November 2023 via the Cybersecurity and Privacy Reference Tool to help organizations better manage cybersecurity and privacy risks to identity and access management systems. The changes included will not be issued as a new PDF publication at this time, and organizations will have the option to defer implementing the changes included in Patch Release 5.1.1 until SP 800-53, Release 6.0.0 is issued. 
    • “For more information, see the News Item and FAQ about SP 800-53 Comment Period Release 5.1.1.”
  • Yesterday, “the Cybersecurity and Infrastructure Security Agency (CISA) announced next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). As directed by the President’s 2023 National Cybersecurity Strategy, CISA, in close coordination with the Office of the National Cyber Director, is embarking on a process to gather input from public and private sector partners– including the federal interagency, Sector Risk Management Agencies (SRMAs), regulators, and critical infrastructure organizations, to identify key changes for incorporation into the updated NCIRP.”
    • Here is a link to the related CISA fact sheet. “CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.”
  • The American Hospital Association News adds that federal agencies this week issued “updated guidance to help software manufacturers demonstrate their commitment to secure by design principles and customers ask for products that are secure by design.”

From the cybervulnerabilities and breaches front,

  • Dark Reading tells us,
    • “Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.
    • “As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.
    • “So, admins should take note that on Thursday [October 19], Trend Micro’s Zero Day Initiative (ZDI) revealed a series of “High” and “Critical”-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, “The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets.”
  • American Hospital News informs us,
    • The CISA, FBI and Multi-State Information Sharing and Analysis Center this week alerted organizations to a critical vulnerability affecting certain versions of the Atlassian Confluence Data Center and Server that enables malicious actors to obtain access to victim systems and continue active exploitation post-patch. The agencies strongly encourage network administrators to immediately apply the recommended upgrades and recommended responses to indicators of compromise.”
  • CISA added one more known exploited vulnerability to its catalog on October 16 and two more on October 19.
  • HHS’s Health Sector Cybersecurity Coordination Center issued on October 18 an Analyst Note titled “Summary of Findings on Potential ServiceNow Vulnerability.”
    • “On October 14, 2023, a cybersecurity researcher claimed that there is a potential data exposure issue within ServiceNow’s built-in capability that could allow unauthenticated users to extract data from records.
    • “ServiceNow is a cloud computing platform to help companies manage digital workflows for enterprise operations, including the Healthcare and Public Health (HPH) sector. Types of data likely exposed include names, e-mail addresses, and internal documents from potentially thousands of companies.
    • “One cybersecurity company stated that around 70% of total instances seem to be affected in ServiceNow’s capability. The vulnerability has yet to be exploited by threat actors, but the likelihood that it will be is probable.”
  • Bleeping Computer reports,
    • “Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
    • “Out of more than 1.8 million administrator credentials analyzed, over 40,000 entries were “admin,” showing that the default password is widely accepted by IT administrators.”

From the ransomware front,

  • On October 19,
    • “CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated version of the joint #StopRansomware Guide. The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights.
    • “Developed through the U.S. Joint Ransomware Task Force (JRTF), #StopRansomware Guide is designed to be a one-stop resource to help organizations minimize the risks posed by ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
    • “CISA and its partners encourage organizations to implement the recommendations in the guide to reduce the likelihood and impact of ransomware incidents. For more information, visit CISA’s Stop Ransomware page.”

From the cybersecurity defenses front,

  • The FEHBlog noticed that Security Week published a series of articles on this topic in October.
    • Lost and Stolen Devices: A Gateway to Data Breaches and Leaks; By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.
    • Applying AI to API Security; While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs.
    • Addressing the People Problem in Cybersecurity; Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rule, released its October 2023 Cybersecurity Newsletter, which concerns how sanctions policies can support HIPAA compliance.
  • NIST “interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.”
  • On October 18, CISA “National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.”  
  • Dark Reading discusses “Change From Within: 3 Cybersecurity Transformation Traps for CISOs to Avoid.”