Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity

FCW reports that

Rep. Michael McCaul (R-Texas) announced that he and Rep. Jim Langevin (D-R.I.), both members of the House Homeland Security Committee are working on a bill that would establish the Cybersecurity and Information Security Agency as a kind of 911 for breach notification. McCaul said his legislation is designed to protect companies from repercussions in the market by removing sources and methods and company names out of reporting. “It would just simply send a threat information itself to CISA so that they could deal both industrywide and federal government wide and state, the threat information they would need to address it on a larger scale,” McCaul said at a joint hearing of the House Committee on Oversight and Reform and the House Homeland Security Committee on Feb. 26.

Speaking of CISA, last Wednesday March 3, CISA issued an emergency directive 21-02 “requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.” According to the Wall Street Journal this action stems from

A cyberattack on Microsoft Corp.’s MSFT 2.15% Exchange email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter.

Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.

While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.

Cyberscoops informs us that

The White House is moving forward with an executive order to encourage software developers to build more security into their products as the investigation of a suspected Russian supply chain compromise continues, a top security official said Friday [March 5]. The upcoming directive “will focus on building in standards for software, particularly software that’s used in critical areas,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said at the SANS Institute’s ICS Security Summit. “The level of trust we have in our systems has to be directly proportional to the visibility we have. And the level of visibility has to match the consequences of the failure of those systems.”

Cyberscoop further discloses that

Microsoft and FireEye on Thursday [March 4] revealed three more malware strains associated with the suspected Russian perpetrators who breached SolarWinds’ Orion software and used its update to infect federal agencies and major companies. FireEye named one strain Sunshuttle in a blog post. In a separate blog post, Microsoft dubbed two more strains GoldFinder and Sibot, and labeled the strain FireEye called Sunshuttle as GoldMax Microsoft said the strains join the previously known SolarWinds hacker tools Sunburst and Teardrop.

Fortune discusses the nascent use of contact tracing in cybersecurity processes.

concept called Sightings has been gaining traction in the security community, largely at the academic level, for the past few years. The idea is for organizations to be able to share details of how they were attacked and what was targeted—the who, what, and when—as quickly as possible with other organizations. 

This concept could help organizations identify breaches sooner and remediate faster and more effectively. Through sharing, attack techniques could be more thoroughly understood, and with the right reporting mechanism, the resulting threat intelligence could be shared to help more organizations avoid a breach in the first place. MITRE, a leading not-for-profit research organization, is working on incorporating Sightings concepts into a security reporting process that would let breach victims share appropriate data in a secure, anonymized way to benefit the wider community.

Beyond this threat intelligence application, organizations could use this sort of contact tracing approach for their own internal investigations. Data contact tracing can dramatically reduce the time it takes to discover how far into their networks an attacker has penetrated, and identify where related systems in their supply chains, customers, and partner networks have also been compromised.

Finally, Health IT Security reports that

Cyberattacks on healthcare more than doubled in 2020, with ransomware accounting for 28 percent of all attacks. COVID-19 response efforts, including personal protective equipment and the vaccine supply chain were the largest focus of these targeted campaigns, according to the latest IBM X-Force report.

Nearly one out of four of overall cyberattacks last year were ransomware, while the increase in data extortion efforts enabled just one of these ransomware hacking groups to make over $123 million in profits in 2020.

The annual report is generated through insights and observations from monitoring more than 150 billion security events per day in more than 130 countries. Researchers also gathered and analyzed data from multiple sources within IBM, including data from Quad9 and Intezer.

Cybersecurity Saturday

David ErmerCongress, Cybersecurity

On Tuesday February 23, the Senate Select Committee on Intelligence held a hearing on the SolarWinds hack. FCW and CyberScoop report on the hearing here and there. Per CyberScoop

More than two months after the hack became public, the wide-ranging Senate Select Committee on Intelligence hearing committee demonstrated that the U.S. government, the private sector and digital incident responders still are wrestling with the ramifications of an suspected Russian espionage campaign that leveraged the federal contractor SolarWinds. 

A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.

“It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here,” said Senate Intelligence Chairman Mark Warner, D-Va.

The House Oversight and Reform Committee held its own SolarWinds hack hearing yesterday. “The hearing examine[d] the role of the private sector in preventing, investigating, and remediating these attacks, as well as the need for Congress and the Executive Branch to implement a strategy to strengthen cybersecurity across federal government networks and improve information-sharing with the private sector.”

In other SolarWinds hack related news, CyberScoop reports that

Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.

Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog

By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”

  • CyberScoops reports that on Wednesday February 24, “President Joe Biden signed an executive order on Wednesday directing federal agencies to conduct a review of supply chain security risks in industries including information technology. * * * Specifically, the order directs reports within one year from the the secretaries of Agriculture, Defense, Energy, Health and Human Services and Transportation — along with a joint Commerce/Homeland Security report — that include an assessment of cyber risks within key industry sectors that could disrupt the U.S. supply chain.”

In other cybersecurity related news —

  • Bleeping Computer discusses at reasonable length the Zero Trust security model that the FEHBlog referenced in a recent post. “The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more efficient way for enterprises to defend against today’s increasingly sophisticated threats. The concept has been around for a while and centers on the assumption that an intruder may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary. Cybersecurity companies have pushed the zero-trust network model for years, as a transition from the traditional security design that considered only external threats.”
  • Bitglass, a cloud security vendor, released its seventh annual healthcare data breach report.

Key Findings [from the company’s announcement]

  • The average cost per breached record increased from $429 in 2019 to $499 in 2020. With 26.4 million records exposed in 2020, data breaches cost healthcare organizations $13.2 billion.
  • Outside of hacking and IT incidents, the remaining breach categories exposed the personal details of about 2.3 million people, exposing victims to identity theft, phishing, and other forms of cyberattacks. 
  • This year, breach numbers were up across the board, with 37 out of 50 U.S. states suffering more breaches than they did in 2019. California had the most healthcare breaches in 2020 with 49 incidents–surpassing last year’s leader, Texas, which suffered 43 breaches in 2020. 
  • In 2020, the average healthcare firm took about 236 days to recover from a breach. 
  • The FEHBlog recently noticed that the Office of Personnel Management has posted its 4th Quarter 2020 report on the implementation of its FEHB Master Enrollment Index.

Cybersecurity Saturday

David ErmerCybersecurity
Photo by Christine Sandu on Unsplash

Healthcare Dive reports that

  • The COVID-19 pandemic has created an upheaval in healthcare cybersecurity, according to a new report from CI Security, as the use of personal devices to conduct work tasks has boomed.
  • And despite the dramatic growth in telehealth services, “many healthcare organizations are still struggling to implement digital health initiatives in a secure manner,” according to the report. Telehealth became vulnerable to attack almost as soon as providers began relying on it to treat patients.
  • CI Security analyzed breaches publicly reported to HHS, and the results are grim. Breach reports were up 35.6% in the second half of 2020 compared to the first half, while the number of patient records that were breached increased more than 180%, although the bulk of those incidents are tied to business associates rather than providers directly. However, CI Security officials fear that the situation will continue to deteriorate in 2021 unless healthcare organizations take proactive steps.

On February 10, the House of Representatives Homeland Security Committee held a hearing on assessing cyberthreats and building resilience. Cyberscoop reports on the hearing here.

Chris Krebs, who served as the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, on Wednesday also hinted at the complexity of the security threats against American systems when he suggested a disgruntled employee was “very likely” behind a breach at a Feb. 5 water treatment facility in Florida. While a federal investigation into the incident — in which an attacker attempted to change the level of sodium hydroxide to a dangerous level for consumption — remains ongoing, Krebs also said an attacker outside the U.S. may have been the culprit.  “This is why we do investigations,” he said.

On the Solarwinds backdoor hack front, C4isrnet.com informs us that

Reacting to senators’ criticism of a disorganized response to a massive government hack, the White House said a top cybersecurity adviser is leading the recovery.

The news Wednesday [February 10] that Anne Neuberger, deputy national security adviser for cyber, is in charge of responding to the Russian breach pleased Senate Intelligence Committee leaders, who called the effort disjointed a day earlier and have pushed for more information about federal cybersecurity.

“The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response,” said Sens. Mark Warner, D-Virginia, and Marco Rubio, R-Florida, the committee chairman and vice chairman, respectively. “The committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible.”

Before moving to a new cybersecurity-focused role on the National Security Council, Neuberger was the first director of the National Security Agency’s Cybersecurity Directorate, created in 2019 to provide the private sector key intelligence to bolster national cybersecurity.

Media reports noted that the Biden administration said Neuberger has been the point person on the federal response all along, but that role had not been known publicly.

Finally, Meritalk tells us about a cybersecurity colloquium held earlier this week.

The advent of new leadership in the White House and the still-unfolding impact of the Russia-backed hack of thousands of government and private-sector networks via SolarWinds Orion products are leading to a fresh consideration of options to improve Federal cybersecurity, panelists said on Feb. 9 at the Resiliency Colloquium event organized by MeriTalk, ACT-IAC, and the Partnership for Public Service.

Former Federal CIO Tony Scott, who moderated a panel discussion on cybersecurity, explained that the China-based hack of Office of Personnel Management (OPM) records came to light early in his tenure in 2015, and “caused us to look around and say what else do we need to worry about.”

Sean Connelly, who manages the Trusted Internet Connections (TIC) program at the Cybersecurity and Infrastructure Security Agency (CISA), recalled that the government’s response to the OPM hack included a burst of activity from the Office of Management and Budget (OMB) on improving security. “A lot of the discussions we are having across the Federal government echo some of those same tenets,” he said.

In a general way, Connelly mentioned that security discussions inside government currently include issues such as the surge in Federal teleworking, the use of home networks in that regard, and opportunities presented by cloud services. “A lot of different areas have come together now to move us forward” in a similar way as following the 2015 OPM breach, he said.

Cybersecurity Saturday

David ErmerCybersecurity, HIPAA Privacy and Security Rules
Photo by Christine Sandu on Unsplash

The Wall Street Journal reports today that

Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.

Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions. * * *

The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

That is chilling news. What should be done?

In that regard, Fortune seeks to untangle the U.S. cybersecurity “mess” for us. The article explains

Restructuring [the U.S. cybersecurity] system is core to the work of the Cyberspace Solarium Commission, a task force commissioned by Congress to help reform U.S. cybersecurity. “Our focus [is] on making the market more effective at driving good behavior,” says commissioner Suzanne Spaulding, a senior adviser for cybersecurity and counterterrorism at the Center for Strategic and International Studies. “If the market isn’t performing the way it should, why isn’t it?” 

The commission spent the past year drawing up a wide-ranging list of recommendations, and in January, 26 of them became law as part of the 2021 National Defense Authorization Act. The NDAA creates a White House–level Office of the National Cyber Director and grants new private-sector threat-response powers to the federal Cybersecurity and Infrastructure Security Agency—significant changes that commission members hope will prompt closer collaboration between government and industry on security standards. “A lot of the recommendations, some of us have been making for years,” says Cilluffo, who’s also a commissioner. “But the political will was not where it needed to be. Now, we don’t need any reminders.”

Solarium’s mandate has been extended for at least another year, and its next round of advocacy and recommendations will focus more squarely on the private sector. The goal: creating better incentives for building secure software and sharing intelligence about cyberthreats.

On the personnel front, GovConWire reported last week that

Sources said Biden is likely to name [Jen] Easterly to the newly created role of national cyber director at the White House to help guide the current administration’s cybersecurity strategy and oversee digital security efforts of agencies.

Easterly is head of resilience at Morgan Stanley and previously served as deputy director for counterterrorism at the National Security Agency between 2011 and 2013. She served in the National Security Council as special assistant to the president and senior director for counterterrorism during the Obama administration.

Healthcare Dive also noted that “The Biden administration hired Chris DeRusha as federal CISO, tasking him with coordinating cybersecurity policy across federal agencies. DeRusha previously served as the top cybersecurity officer for the Biden presidential campaign.”

Cyber Scoop adds with respect to the ongoing investigation that

[L]awmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago.

A group of lawmakers led by Sen. Ron Wyden, D-Ore., is asking the NSAwhat steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government.

Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.

Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks.