Cybersecurity Archives - Page 28 of 28

Cybersecurity Saturday

David Ermer–Congress, Cybersecurity–February 27, 2021October 10, 2022

On Tuesday February 23, the Senate Select Committee on Intelligence held a hearing on the SolarWinds hack. FCW and CyberScoop report on the hearing here and there. Per CyberScoop

More than two months after the hack became public, the wide-ranging Senate Select Committee on Intelligence hearing committee demonstrated that the U.S. government, the private sector and digital incident responders still are wrestling with the ramifications of an suspected Russian espionage campaign that leveraged the federal contractor SolarWinds.
A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.
“It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here,” said Senate Intelligence Chairman Mark Warner, D-Va.

The House Oversight and Reform Committee held its own SolarWinds hack hearing yesterday. “The hearing examine[d] the role of the private sector in preventing, investigating, and remediating these attacks, as well as the need for Congress and the Executive Branch to implement a strategy to strengthen cybersecurity across federal government networks and improve information-sharing with the private sector.”

In other SolarWinds hack related news, CyberScoop reports that

Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.
Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog.
By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”

CyberScoops reports that on Wednesday February 24, “President Joe Biden signed an executive order on Wednesday directing federal agencies to conduct a review of supply chain security risks in industries including information technology. * * * Specifically, the order directs reports within one year from the the secretaries of Agriculture, Defense, Energy, Health and Human Services and Transportation — along with a joint Commerce/Homeland Security report — that include an assessment of cyber risks within key industry sectors that could disrupt the U.S. supply chain.”

In other cybersecurity related news —

Bleeping Computer discusses at reasonable length the Zero Trust security model that the FEHBlog referenced in a recent post. “The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more efficient way for enterprises to defend against today’s increasingly sophisticated threats. The concept has been around for a while and centers on the assumption that an intruder may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary. Cybersecurity companies have pushed the zero-trust network model for years, as a transition from the traditional security design that considered only external threats.”
Bitglass, a cloud security vendor, released its seventh annual healthcare data breach report.

Key Findings [from the company’s announcement]

The average cost per breached record increased from $429 in 2019 to $499 in 2020. With 26.4 million records exposed in 2020, data breaches cost healthcare organizations $13.2 billion.
Outside of hacking and IT incidents, the remaining breach categories exposed the personal details of about 2.3 million people, exposing victims to identity theft, phishing, and other forms of cyberattacks.
This year, breach numbers were up across the board, with 37 out of 50 U.S. states suffering more breaches than they did in 2019. California had the most healthcare breaches in 2020 with 49 incidents–surpassing last year’s leader, Texas, which suffered 43 breaches in 2020.
In 2020, the average healthcare firm took about 236 days to recover from a breach.

The FEHBlog recently noticed that the Office of Personnel Management has posted its 4th Quarter 2020 report on the implementation of its FEHB Master Enrollment Index.

Cybersecurity Saturday

David Ermer–Cybersecurity–February 13, 2021October 10, 2022

Healthcare Dive reports that

The COVID-19 pandemic has created an upheaval in healthcare cybersecurity, according to a new report from CI Security, as the use of personal devices to conduct work tasks has boomed.
And despite the dramatic growth in telehealth services, “many healthcare organizations are still struggling to implement digital health initiatives in a secure manner,” according to the report. Telehealth became vulnerable to attack almost as soon as providers began relying on it to treat patients.
CI Security analyzed breaches publicly reported to HHS, and the results are grim. Breach reports were up 35.6% in the second half of 2020 compared to the first half, while the number of patient records that were breached increased more than 180%, although the bulk of those incidents are tied to business associates rather than providers directly. However, CI Security officials fear that the situation will continue to deteriorate in 2021 unless healthcare organizations take proactive steps.

On February 10, the House of Representatives Homeland Security Committee held a hearing on assessing cyberthreats and building resilience. Cyberscoop reports on the hearing here.

Chris Krebs, who served as the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, on Wednesday also hinted at the complexity of the security threats against American systems when he suggested a disgruntled employee was “very likely” behind a breach at a Feb. 5 water treatment facility in Florida. While a federal investigation into the incident — in which an attacker attempted to change the level of sodium hydroxide to a dangerous level for consumption — remains ongoing, Krebs also said an attacker outside the U.S. may have been the culprit. “This is why we do investigations,” he said.

On the Solarwinds backdoor hack front, C4isrnet.com informs us that

Reacting to senators’ criticism of a disorganized response to a massive government hack, the White House said a top cybersecurity adviser is leading the recovery.
The news Wednesday [February 10] that Anne Neuberger, deputy national security adviser for cyber, is in charge of responding to the Russian breach pleased Senate Intelligence Committee leaders, who called the effort disjointed a day earlier and have pushed for more information about federal cybersecurity.
“The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response,” said Sens. Mark Warner, D-Virginia, and Marco Rubio, R-Florida, the committee chairman and vice chairman, respectively. “The committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible.”
Before moving to a new cybersecurity-focused role on the National Security Council, Neuberger was the first director of the National Security Agency’s Cybersecurity Directorate, created in 2019 to provide the private sector key intelligence to bolster national cybersecurity.
Media reports noted that the Biden administration said Neuberger has been the point person on the federal response all along, but that role had not been known publicly.

Finally, Meritalk tells us about a cybersecurity colloquium held earlier this week.

The advent of new leadership in the White House and the still-unfolding impact of the Russia-backed hack of thousands of government and private-sector networks via SolarWinds Orion products are leading to a fresh consideration of options to improve Federal cybersecurity, panelists said on Feb. 9 at the Resiliency Colloquium event organized by MeriTalk, ACT-IAC, and the Partnership for Public Service.
Former Federal CIO Tony Scott, who moderated a panel discussion on cybersecurity, explained that the China-based hack of Office of Personnel Management (OPM) records came to light early in his tenure in 2015, and “caused us to look around and say what else do we need to worry about.”
Sean Connelly, who manages the Trusted Internet Connections (TIC) program at the Cybersecurity and Infrastructure Security Agency (CISA), recalled that the government’s response to the OPM hack included a burst of activity from the Office of Management and Budget (OMB) on improving security. “A lot of the discussions we are having across the Federal government echo some of those same tenets,” he said.
In a general way, Connelly mentioned that security discussions inside government currently include issues such as the surge in Federal teleworking, the use of home networks in that regard, and opportunities presented by cloud services. “A lot of different areas have come together now to move us forward” in a similar way as following the 2015 OPM breach, he said.

Cybersecurity Saturday

David Ermer–Cybersecurity, HIPAA Privacy and Security Rules–January 30, 2021October 10, 2022

The Wall Street Journal reports today that

Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.
Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions. * * *
The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

That is chilling news. What should be done?

In that regard, Fortune seeks to untangle the U.S. cybersecurity “mess” for us. The article explains

Restructuring [the U.S. cybersecurity] system is core to the work of the Cyberspace Solarium Commission, a task force commissioned by Congress to help reform U.S. cybersecurity. “Our focus [is] on making the market more effective at driving good behavior,” says commissioner Suzanne Spaulding, a senior adviser for cybersecurity and counterterrorism at the Center for Strategic and International Studies. “If the market isn’t performing the way it should, why isn’t it?”
The commission spent the past year drawing up a wide-ranging list of recommendations, and in January, 26 of them became law as part of the 2021 National Defense Authorization Act. The NDAA creates a White House–level Office of the National Cyber Director and grants new private-sector threat-response powers to the federal Cybersecurity and Infrastructure Security Agency—significant changes that commission members hope will prompt closer collaboration between government and industry on security standards. “A lot of the recommendations, some of us have been making for years,” says Cilluffo, who’s also a commissioner. “But the political will was not where it needed to be. Now, we don’t need any reminders.”
Solarium’s mandate has been extended for at least another year, and its next round of advocacy and recommendations will focus more squarely on the private sector. The goal: creating better incentives for building secure software and sharing intelligence about cyberthreats.

On the personnel front, GovConWire reported last week that

Sources said Biden is likely to name [Jen] Easterly to the newly created role of national cyber director at the White House to help guide the current administration’s cybersecurity strategy and oversee digital security efforts of agencies.
Easterly is head of resilience at Morgan Stanley and previously served as deputy director for counterterrorism at the National Security Agency between 2011 and 2013. She served in the National Security Council as special assistant to the president and senior director for counterterrorism during the Obama administration.

Healthcare Dive also noted that “The Biden administration hired Chris DeRusha as federal CISO, tasking him with coordinating cybersecurity policy across federal agencies. DeRusha previously served as the top cybersecurity officer for the Biden presidential campaign.”

Cyber Scoop adds with respect to the ongoing investigation that

[L]awmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago.
A group of lawmakers led by Sen. Ron Wyden, D-Ore., is asking the NSAwhat steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government.
Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.
Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.