Cybersecurity Saturday

From the cybersecurity policy front,

  • FedScoop tells us,
    • “A new bipartisan House bill aims to bolster the U.S. cybersecurity workforce by creating two training programs within the federal government, building on companion legislation introduced in the Senate earlier this year.
    • “The Federal Cybersecurity Workforce Expansion Act, co-sponsored by Reps. Chrissy Houlahan, D-Pa., and Mike Gallagher, R-Wis., would establish a cybersecurity registered apprenticeship program in the Cybersecurity and Infrastructure Security Agency and a Department of Veterans Affairs pilot program that would provide cybersecurity training to veterans.
  • The Cybersecurity and Infrastructure Security Agency (“CISA”) announced,
    • “In the fast-paced world of cybersecurity, staying ahead of threats is essential. And while security is without a doubt a priority for businesses of all sizes, it is easy to feel overwhelmed by all the information available. At CISA, we have been diligently developing a solution aimed at simplifying the way our partners and potential collaborators understand their cyber risk and prioritize their investments, ensuring they can quickly navigate this complexity with ease. Our focus has been on making the process of working with us more intuitive and user-friendly so that every organization can spend more time meeting business goals and less time sifting through cybersecurity resources. We believe this approach will be especially helpful for smaller to medium sized stakeholders with fewer resources, who need help prioritizing actions to help them to reduce the likelihood and impact of damaging intrusions.
    • “In early 2024, we look forward to launching a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around our Cybersecurity Performance Goals. This new tool is called ReadySetCyber. While we’re not quite ready to unveil all the details just yet, we are excited to share a glimpse of what’s on the horizon.”
    • That glimpse is available here.
  • The Wall Street Journal reports,
    • “A cyberattack that disrupts everyday life in the U.S. will likely cost more than the insurance industry can afford to cover, requiring government intervention, insurers and brokers said.
    • “The idea of a federal backstop to help insurers cope in the event of a catastrophic cyberattack has been examined by the government in recent years, but has gained momentum with tandem efforts at the Treasury Department, the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency over the past year. Government officials and the insurance industry plan to meet in April to work out exactly what such a program would look like.
    • “Federal support in the event of a catastrophic attack would undoubtedly be necessary, said John Keogh, president and chief operating officer of insurer Chubb.
    • “While the industry could absorb a major natural disaster, the effects of a cyberattack on a similar scale would quickly overwhelm its capacity to cover losses.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive points out last Monday,
    • A cyberattack targeting Fidelity National Financial led to disruptions across its services, including title insurance and mortgage transactions, after it was forced to block access to certain systems, the company said last week in a filing with the Securities and Exchange Commission
    • An investigation showed an unauthorized third party gained access to some of its systems and stole certain credentials, the company said.
    • The threat group known as AlphV/BlackCat claimed responsibility for the attack, according to security researcher Dominic Alvieri.
  • CISA added two more known exploited vulnerabilities to its catalog on November 30, 2023, and removed one on December 1, 2023.

From the ransomware front, here’s a link to the latest Bleeping Computer’s Week in Ransomware.

From the cybersecurity defenses front,

  • Technopedia identifies the top nine cybersecurity trends for 2024.
  • Cybersecurity Dive informs us,
    • “Technology like generative AI can address some key security challenges confronting organizations, but professionals that overemphasize those capabilities miss the fundamental need to put people and their unique talents first.
    • “Security is a people issue,” Amazon CSO Stephen Schmidt said Monday during a presentation at AWS re: Invent in Las Vegas. “Computers don’t attack each other. People are behind every single adversarial action that happens out there.”
    • “For Schmidt, winning in security is akin to playing chess — focusing on the board, how the pieces move and interact — while practicing psychology. Security professionals need to understand the human elements at play, including their own tendencies and opponents’ motivations.
    • “You’re not playing just one chess match,” Schmidt said. “You are playing dozens or hundreds of games at the same time, because you have a variety of adversaries with different motivations who are going after you.”
    • “This cybersecurity scrum can feel overwhelming, but many defenders view generative AI as an ally that can automate repetitive tasks. Cybersecurity vendors across the landscape have released security tools infused with the technology, and more are in the pipeline.”
  • Tech Republic adds that Open AI first released ChatGPT on November 30, 2022. The site explains how the technology has evolved.