From the cybersecurity policy front,

• Fortune offers a commentary on the topic aptly titled “A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats.”

• HHS’s 405(d) Program released its latest newsletter.

• The National Institute of Standards and Technology (NIST) issued
  • “a Request for Information (RFI) that will assist in the implementation of its responsibilities under the recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI).  * * *
  • “Responses will be accepted until Feb. 2, 2024, and will be posted to www.regulations.gov. The information collected will inform the drafting of guidance that NIST will release for public comment.”  

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency is seeking comment on a global effort to improve software security through major changes in development practices.
  • “The request for information, released Wednesday, seeks input about how to best incorporate security into the software development life cycle. Specifically, CISA is asking for input on how to tackle recurring software vulnerabilities, how to implement security into higher education, and how to enhance security into operational technology and how secure practices may impact costs.
  • “Our goal to drive forward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every consumer, which in turn requires us to rigorously seek and incorporate input,” CISA Director Jen Easterly said in the announcement.”

• Federal News Network points out,

  • The Defense Department’s long-awaited proposed rule for the Cybersecurity Maturity Model Certification (CMMC) lays out DoD’s plan to introduce the CMMC requirements over the next three years. The proposed rule, released today [December 22] and scheduled to be published in the Federal Register on Dec. 26, would establish requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors are implementing required security protections.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports
  • “Comcast’s Xfinity broadband entertainment platform disclosed a massive data breach involving 35.9 million customers on Monday, an incident connected to the ongoing CitrixBleed vulnerability.
  • “Xfinity promptly patched the vulnerability in Citrix software it uses in mid-October and took additional mitigation steps, the company said in an announcement. However, during a routine cybersecurity exercise on Oct. 25, Xfinity found an anomaly in its systems and identified a breach between Oct. 16-19 by an unauthorized party. 
  • “After launching an investigation and contacting law enforcement, on Nov. 16 the company determined that customer data was likely stolen. On Dec. 6, Xfinity determined the compromised data included user names and hashed passwords. In some cases, names, contact information, the last four digits of Social Security numbers, dates of birth and secret questions and answers were accessed.”

• Health IT Security adds,
  • “Genetic testing company 23andMe notified 6.9 million individuals that their personal information was compromised in October 2023. However, 23andMe had no evidence that there was a data security incident within its systems. Instead, threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords. * * *
  • “The 23andMe breach exemplified the effects that poor cyber hygiene by end users can have on data security. What’s more, the breach’s impact was expanded since access to one account gave hackers further access to other user profiles via the DNA Relatives feature.
  • “Multi-factor authentication (MFA) often emerges as a sensible solution to this issue. The cornerstones of authentication revolve around three factors: something you know, something you have, and something you are. While single-factor authentication requires the user to identify only one of those factors, MFA necessitates that users produce two or more factors, such as a password and a security token, or a pin number and a fingerprint.”

• CISA added two known exploited vulnerabilities to its catalog on December 21.

From the ransomware front,

• The American Hospital Association tells us,
  • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre Dec. 18 released a warning about actions and tactics used by the Play ransomware group. The group has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe since 2022, in addition to incidents in Australia in April and November this year. 
  • “The cyber threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors use a double-extortion model, which encrypts systems after exfiltrating data; their ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.” 

• On December 19,
  • “CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), #StopRansomware: ALPHV Blackcat, to disseminate known ALPHV Blackcat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023. The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.”

• Bleeping Computer’s The Week in Ransomware” offers details on the ALPHV situation that are worth a gander.

From the cybersecurity defenses front,

• Dark Reading reports,
  • “Cisco is closing out a busy year of acquisitions with a new deal to boost its multicloud networking and security capabilities.
  • “The networking giant announced its intention to acquire Isovalent, a cloud-native security and networking startup that helped develop two widely used visibility projects, eBPF, Cilium, and Tetragon. The open source technology eBPF provides developers with “unmatched visibility into the inner workings of the operating system,” Cisco said in a statement. The technology presents a way for building security systems that can protect a workload while running, according to the company. * * *
  • “Isovalent will join Cisco Security Business Group after the acquisition closes, which is expected in the second quarter of 2024 (third quarter of Cisco’s fiscal year). The purchase price was not disclosed.”

• CISA issued a blog post about planned improvements to its cybersecurity information sharing.
  • “Our shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.”

From the cybersecurity policy front,

• Cybersecurity Dive reported on December 13,
  • “The Senate confirmed Harry Coker Jr. as national cyber director Tuesday, ending a 10-month absence of a permanent leader in the role.
  • “The Navy veteran and executive director of the National Security Agency from 2017 to 2019, will lead the Office of the National Cyber Director and its team of about 100 employees after the Senate confirmed his nomination by a 59-40 vote.
  • “Coker joins the White House at a critical time, with the onus now on him to implement the national cybersecurity strategy that aims to shift the responsibility for security to technology manufacturers and vendors instead of customers.”

• Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) “released a Cybersecurity Advisory, Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, that details findings from our risk and vulnerability assessments of a Health and Public Health (HPH) Sector organization.”

• Bank Info Security explains,
  • “In a Friday advisory, CISA said it had performed the assessment in January at the request of a “large organization deploying on-premise software” that the agency did not identify.
  • “The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.
  • “Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.
  • “CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.
  • “The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.”

From the cybersecurity vulnerability and breaches front,

• Cybersecurity Dive reports,
  • “U.S. authorities warn that threat actors linked to the Russian Foreign Intelligence Service (SVR) are exploiting a critical vulnerability in JetBrains TeamCity software as part of a worldwide effort that could lead to extensive supply chain attacks.
  • “The FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, along with U.K. and Polish authorities, said Nobelium/Midnight Blizzard — a threat group linked to the 2020 Sunburst attacks against SolarWinds — has been targeting hundreds of unpatched TeamCity servers across the globe, which are widely used for software development. 
  • “The hackers have not yet launched supply chain attacks, but have used their initial access to escalate privileges, move laterally within systems and install malicious backdoors in preparation for larger attacks, authorities said.”
• and
  • “CitrixBleed isn’t going away: Security experts struggle to control critical vulnerability. While officials echo urgent mitigation steps to contain the zero-day vulnerability, high-profile organizations continue to bear the impact.”

• CISA added a known exploited vulnerability to its catalog on December 11.

From the ransomware front, Bleeping Computer’s Week in Ransomware is back this week.

From the cybersecurity defenses front,

• CISA offers insights from its intensive risk assessment project discussed above under cybersecurity policy.
  • Here are the headlines:
    • “ACTIONS TO TAKE TODAY TO HARDEN YOUR INTERNAL ENVIRONMENT TO MITIGATE FOLLOW-ON ACTIVITY AFTER INITIAL ACCESS.
    • “Use phishing-resistant multi-factor authentication (MFA) for all administrative access.
    • “Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials.
    • “Implement network segregation controls.”

• ISACA offers five things for various professionals to put on their 2024 to-do lists. Here are the five things for cybersecurity and privacy professionals. Check them out.

• Security Boulevard discusses the next great line of defense, security as a code (SaC).
  • “Security as Code (SaC) is the practice of building and integrating security into tools and workflows by identifying places where security checks, tests, and gates may be included.”

From the cybersecurity policy front,

• Healthcare Dive reports,
  • “The HHS released [on December 6] a working paper this week that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule.
  • “The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs.
  • “The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy. The HHS’ Office for Civil Rights found a 93% increase in large breaches reported from 2018 to 2022, and a 278% increase in large breaches involving ransomware.  * * *
  • “Money and voluntary goals alone won’t drive enough change, the department said. The HHS’ third step focuses on proposing to add healthcare-specific cybersecurity goals into existing regulations, which will inform future standards.
  • “The CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the HHS’ OCR will begin to update the HIPAA Security Rule in the spring to include new standards. [Reginfo.gov tells us the proposed rule is expected to be released in September 2024.]
  • “The American Hospital Association CEO Rick Pollack said the trade and lobbying group welcomes more federal expertise and funding to protect the sector from cyberattacks, but it can’t support mandatory requirements.
  • “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” Pollack said in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”

• Cyberscoop tells us,
  • “Addressing computer security vulnerabilities by quickly finding and patching flaws is a fundamentally broken model in need of being overhauled, Eric Goldstein, a top cybersecurity official at the Cybersecurity and Infrastructure Security Agency, said Friday.
  • “To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
  • “Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.
  • “If you’re a school district, a water utility, a small business, you’re fundamentally not going to repeatedly succeed over time against the malicious actors that we are trying to manage every day,” Goldstein said.”

• The Department of Health and Human Services Office of Civil Rights announced,
  • “a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information. 
  • “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks. * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html“

• The Federal Bureau of Investigation announced,
  • “The Securities and Exchange Commission’s new requirements for companies to disclose material cybersecurity incidents take effect on December 18, 2023. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request disclosure delays for national security or public safety reasons.
  • “You can click on the buttons at the bottom of this page to read guidance on requesting a delay and providing necessary information to the FBI, to view the SEC Rule, and to read the FBI’s Policy Notice about how victim requests are processed.  
  • “The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office. The FBI also strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI, that doesn’t trigger materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay. 
  • Please note that delay requests won’t be processed unless they are made immediately upon a company’s determination of materiality.”

• The National Institute of Standards and Technology released an updated
  • The NIST Cybersecurity and Privacy Reference Tool (CPRT) [which] provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications.

From the cybersecurity vulnerabilities and breaches front,

• The HHS health sector Cybersecurity Coordination Center (HC3) issued its November report on vulnerabilities of interest to the health sector.
  • “In November 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, Becton, Dickinson (BD) and Company, and ownCloud. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog on December 4, four more on December 5 and another two on December 7.

• HC3 posted a white paper on ownCloud vulnerability.
  • “The ownCloud platform allows organizations to store, synchronize, and share files and other content, as well as collaborate and consolidate work processes. This platform is known to be deployed across the U.S. health sector, among other industries. The nature of this platform provides cyber-attackers with a target that can potentially provide access to sensitive health information, as well as a staging point for further attacks. Three vulnerabilities were recently identified in certain versions of ownCloud, the most egregious of which is known to be under active attack. HC3 recommends healthcare organizations running ownCloud identify vulnerable instances and prioritize implementation of the mitigation steps in this document.”

• HC3 also posted a PowerPoint about Open Source Software risks in the health sector.

• Federal News Network informs us,
  • “The Cybersecurity and Infrastructure Security Agency is reminding agencies and the public to patch known cyber vulnerabilities after a federal agency was hacked earlier this year by threat actors leveraging a bug in outdated software.
  • “In a cyber advisory issued this week, CISA said unidentified threat actors exploited a vulnerability in older versions of Adobe ColdFusion software to gain access to the network of a federal civilian executive branch agency. The specific agency was not identifie
  • “Analysis of the agency’s network logs confirmed the compromise of “at least two public-facing servers” within the agency’s environment between June and July of this year.
  • “Both servers were running outdated versions of software which are vulnerable to various [Common Vulnerabilities and Exposures],” CISA said in the advisory.”

• Per Cybersecurity Dive,
  • “Cyberattacks and data breaches are exposing personal data at an ever-growing rate, according to an Apple-commissioned study conducted by Stuart Madnick, professor of IT at Massachusetts Institute of Technology, published Thursday.
  • “More than 2.6 billion personal records were compromised in 2021 and 2022, and the number of records breached jumped 36% in 2022 to 1.5 billion, the report said.
  • “Data breaches at U.S. organizations are at an all-time high, up 20% in the first nine months of 2023 compared to all of last year, the study found.”
• and
  • “Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode. 
  • “The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
  • “Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.”

• The Wall Street Journal reports,
  • “The recent breach of  23andMe user accounts shows a simple yet powerful truth about data security: Don’t reuse passwords, people.
  • “The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.
  • “The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including Netflix, Nintendo, Zoom and PayPal. 
  • “It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm. 
  • “The issue here is that 23andMe is a social site that also has healthcare information,” he said. “And both of these increase the risk of exposure of the data, and the value of the data itself.” 

From the ransomware front,

• The Hacker News explains ransomware as a service. (Note: The Week in Ransomware was not published this week.)

From the cybersecurity defenses front,

• Security Boulevard offers 2024 predictions for cybersecurity.

• An ISACA experts explains how to create a health security culture.

• Medriva discusses the cybersecurity steps that the Cleveland Clinic has taken.

From the cybersecurity vulnerabilities and breaches front,

• HHS’s Health Sector Cybersecurity Coordination Center posted a Sector Alert about a “Critical Vulnerability in Fortinet FortiSIEM Platform” on November 22, 2023.
  • “Fortinet has identified a vulnerability in its FortiSIEM platform, which is utilized by the Healthcare and Public Health (HPH) sector. This vulnerability enables a threat actor to execute commands on the target system, allowing for a potentially wide-scale and impactful cyberattack. HC3 recommends that all healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms in a timely manner.”

• The Cybersecurity and Infrastructure Security Agency added one more known exploited vulnerability to its catalog on November 21, 2023.

• Dark Reading points out,
  • “A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.
  • “Experts say this could be the first time they’ve observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.
  • “The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.”

• Health IT Security notes,
  • “The HHS Office for Civil Rights (OCR) completed a HIPAA investigation into New York-based Saint Joseph’s Medical Center following claims that the organization had impermissibly disclosed COVID-19 patients’ protected health information (PHI) to a news reporter. Saint Joseph’s Medical Center agreed to pay $80,000 to OCR and implement corrective actions.
  • “OCR launched the investigation following the publication of an article by the Associated Press about the academic medical center’s response to the COVID-19 pandemic. The article included photographs and information about three COVID-19 patients, including diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
  • “Further investigation determined that Saint Joseph’s had provided the information to the Associated Press without first obtaining written consent from the three patients.”

• The HHS Inspector General warns us “about a fraud scheme involving monthly billing for remote patient monitoring.”

From the ransomware front,

• Cybersecurity Dive reports on November 22, 2023,
  • “Criminal threat groups and nation-state actors are exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway to launch attacks, the Cybersecurity and Infrastructure Security Agency and FBI warned on Tuesday.
  • “Affiliates of LockBit 3.0 exploited the vulnerability — dubbed CitrixBleed by researchers — to gain access into Boeing’s parts and distribution unit and exfiltrate data, as part of a suspected ransomware attack, according to federal authorities.
  • “CISA, through its ransomware vulnerability warning program, has notified almost 300 organizations they were running vulnerable instances of the devices and needed to take mitigation measures before they were attacked, Eric Goldstein, executive assistant director of cybersecurity at CISA, said during a conference call with reporters.” 
• Here is a link to the CISA analysis of CitrixBleed.

• Cyberscoop provides its perspective on this and related schemes.
  • “Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
  • “Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.” 
  • “That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”

From the cybersecurity defenses front,

• CISA discusses how the agency has re-envisioned its Cybersecurity Insurance and Data Analysis Working Group to help reduce cybersecurity risk.
  • “When we re-launch the CIDAWG in December, the working group will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, with the intent to correlate data with cybersecurity controls to understand their effectiveness. CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness. This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.”

• The Wall Street Journal explains why storytelling can improve cybersecurity training.
  • “I recently wrote about the “phishing tests” that many companies use to train (well, scare) employees into being more cyber-vigilant. They send around a phony phishing email, and measure how many people click on it. But my research shows that these tests can actually be harmful. They create fear, stress and distrust among employees, and in the end they don’t improve phishing resistance much.
  • “When I wrote that article, a number of readers wrote in asking a simple question: If phishing tests don’t work, what does?
  • “I believe a better way to train people is to have their peers tell them stories about their experience with scams. Humans have an innate ability to learn from stories about other people—even if they are just casual stories that fall into the middle of a conversation. My research on the topic has found just how effective stories can be when applied to cybercrime: Hearing about somebody else getting snagged by phishing, or narrowly avoiding it, makes people more likely to take security seriously and avoid the mistakes they have heard about.”

• The Hackers News recommends six steps to accelerate cybersecurity incident response.

• ISACA offers a report on optimizing risk transfer for systematic resilience.

Happy Veterans Day! Thanks to all those who served our country.

From the cybersecurity policy front,

• Health IT Security reports,
  • “US Senators Mark Warner (D-VA), Bill Cassidy (R-LA), John Cornyn (R-TX), and Maggie Hassan (D-NH) launched a bipartisan Senate healthcare cybersecurity working group. The group will focus on proposing legislative solutions within the Senate Health, Education, Labor, and Pensions (HELP) Committee to strengthen healthcare cybersecurity.
  • “We are seeing a disturbing rise in cyberattacks on our health care system. These attacks not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy stated. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans’ crucial health data.”

• Cyberscoop Informs us,
  • “[On November 2, 2023,] [f]ormer National Security Agency Executive Director Harry Coker told members of the Senate Homeland Security and Governmental Affairs Committee that if he’s confirmed as the next national cyber director, he’d largely continue along the same path as his predecessors.
  • “Coker, who also spent 17 years at the Central Intelligence Agency and had made few public appearances before Thursday’s hearing, expressed appreciation for previous Office of the National Cyber Director work, including the National Cybersecurity Strategy, the subsequent implementation plan and the National Cyber Workforce and Education Strategy.
  • “If confirmed, I would frankly continue the good work that ONCD has done with its partners,” Coker said. He noted in his opening statement he’s “seen the need for stronger partnerships and collaboration between the public and private sectors” and that collaboration would be “the north star” under his leadership.”

• The Cybersecurity and Infrastructure Security Agency (CISA) announced that
  • “Director Jen Easterly and the Republic of Korea’s Deputy Director of the National Intelligence Service (NIS) Baek Jong-wook signed a Memorandum of Understanding (MoU) outlining areas for collaboration under the bilateral Cyber Framework signed by President Biden and Republic of Korea President Yoon in April.   
  • “The Framework affirms cooperation with Korea in key CISA mission areas, to include sharing technical and operational cyber threat information and best practices in cyber crisis management.  In June, senior leaders from both countries determined that CISA and NIS would co-lead a Framework Action Group on critical infrastructure. This Action Group will also bring together Korea’s Ministry of Science and ICT and other USG departments and agencies. ” 

• The National Institute of Standards and Technology (NIST) informed us on November 9, 2023,
  • “The final public draft of NIST Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is now available for public review and comment.  * * *
  • “Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information, is also available.
  • “The public comment period for both drafts is open through January 12, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to 800-171comments@list.nist.gov.”

• NextGov offers an overview of the NIST’s final draft publications.

• On November 9, 2023, CISA, the National Security Agency and their partners released.
  • Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.
  • Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.
  • CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “Business software maker SolarWinds is denying charges that it lacked adequate cybersecurity controls in the build up to a significant hack of its products in 2020, and accused the U.S. Securities and Exchange Commission of misrepresenting facts in its complaint.
  • “On Oct. 30, the SEC announced that it had filed charges against SolarWindsalleging the firm defrauded investors by repeatedly misleading them about its cyber vulnerabilities and the ability of attackers to penetrate its systems. 
  • “The SEC’s lawsuit is fundamentally flawed—both legally and factually—and we plan to defend vigorously against the charges,” SolarWinds said. The SEC declined to comment.”

• Cybersecurity Dive points out,
  • Mortgage servicing provider Mr. Cooper Group shut down multiple systems after it determined a threat actor accessed certain technology systems on Oct. 31, according to a Thursday [November 2, 2023] filing with the Securities and Exchange Commission.
  • The company initiated precautionary containment measures in response to the cyberattack, a move that’s temporarily halting recurring payments and leading customers to make one-time loan payments online, via phone, email or third parties. The status of customers’ loans were last updated Oct. 31.
  • Mr. Cooper is the third-largest mortgage servicer in the U.S. with more than 4.3 million customers, according to the company.

• TechCrunch adds,
  • Mr. Cooper, the mortgage and loan giant with more than four million customers, has confirmed customer data was compromised during a recent cyberattack.
  • In an updated notice on its website published Thursday [November 9, 2023], Mr. Cooper said that it was “still investigating what data may have been exposed,” though it remains unclear what kind of cyberattack hit Mr. Cooper’s system

• CISA added another known exploited vulnerability to its catalog on November 7 and one more on November 8, 2023.

• BusinessTech discusses the vulnerability management lifecycle.

From the ransomware front,

• Because Bleeping Computer did not publish the Week in Ransomware yesterday, here is a notable attack featured in Cybersecurity Dive:
  • “A U.S. subsidiary of China’s largest bank was hit by a ransomware attack Wednesday that resulted in disruption to certain financial services systems, the bank announced Thursday [November 9, 2023].
  • “The hack disrupted the trading of U.S. Treasuries, forcing the Industrial and Commercial Bank of China Financial Services to send required settlement details to certain parties by a messenger carrying a USB stick, according to Bloomberg.
  • “The New York City-based firm said it reported the incident to law enforcement and successfully cleared U.S. Treasury trades executed Wednesday and repo financing trades done Thursday.

• Dark Reading adds,
  • “The disruptive ransomware attack on the world’s largest bank this week, the PRC’s Industrial and Commercial Bank of China (ICBC), may be tied to a critical vulnerability that Citrix disclosed in its NetScaler technology last month. The situation highlights why organizations need to immediately patch against the threat if they haven’t done so already.
  • “The so-called “CitrixBleed” vulnerability (CVE-2023-4966) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.
  • “* * * The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue fresh guidance and resources this week on addressing the CitrixBleed threat. CISA warned of “active, targeted exploitation” of the bug in urging organizations to “update unmitigated appliances to the updated versions” that Citrix released last month.”

• HHS’s health sector cybersecurity coordination center issued an analyst note on Blacksuit ransomware:
  • “A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector. Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today. Both Royal and the now-defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly. What follows [in the note] is an overview of the potential new group, possible connections to other threat actors, an analysis of its ransomware attacks, its target industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defense and mitigations against the group.”

• The HIPAA Journal notes,
  • “A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.
  • “To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyber attackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.”

From the cybersecurity defenses front,

• An ISACA expert discusses how “Cyber Advisors, Security Services Providers Can Use Zero-Sum Game Theory Framework to Benefit Clients.”

• Dark Reading explains “How to Outsmart Malware Attacks That Can Fool Antivirus Protection. One of the main challenges for Android users is protecting themselves from malicious applications that can damage devices or perform other harmful actions.”

From the cybersecurity policy front,

• The National Institutes of Standards and Technology (NIST) announced,
  • “NIST is issuing one new proposed control and two control enhancements with corresponding assessment procedures for an expedited 2-week public comment period for October 17–31, 2023. All interested users are invited to provide real-time input to SP 800-53 controls, participate in public comment periods, and plan for future changes to the catalog at the website for Public Comments on SP 800-53 Controls. Review and submit comments on the proposed new control and enhancements by selecting the “Candidates” button. 
  • “NIST will also issue a patch release — SP 800-53 Release 5.1.1 — in early November 2023 via the Cybersecurity and Privacy Reference Tool to help organizations better manage cybersecurity and privacy risks to identity and access management systems. The changes included will not be issued as a new PDF publication at this time, and organizations will have the option to defer implementing the changes included in Patch Release 5.1.1 until SP 800-53, Release 6.0.0 is issued. 
  • “For more information, see the News Item and FAQ about SP 800-53 Comment Period Release 5.1.1.”

• Yesterday, “the Cybersecurity and Infrastructure Security Agency (CISA) announced next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). As directed by the President’s 2023 National Cybersecurity Strategy, CISA, in close coordination with the Office of the National Cyber Director, is embarking on a process to gather input from public and private sector partners– including the federal interagency, Sector Risk Management Agencies (SRMAs), regulators, and critical infrastructure organizations, to identify key changes for incorporation into the updated NCIRP.”
  • Here is a link to the related CISA fact sheet. “CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.”

• The American Hospital Association News adds that federal agencies this week issued “updated guidance to help software manufacturers demonstrate their commitment to secure by design principles and customers ask for products that are secure by design.”

From the cybervulnerabilities and breaches front,

• Dark Reading tells us,
  • “Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.
  • “As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.
  • “So, admins should take note that on Thursday [October 19], Trend Micro’s Zero Day Initiative (ZDI) revealed a series of “High” and “Critical”-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, “The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets.”

• Per Cybersecurity Dive,
  • Cisco will release a security fix Sunday [October 22] to address a critical zero-day vulnerability in Cisco IOS XE software, a spokesperson told Cybersecurity Dive, citing an updated bulletin from the company. 
  • An unidentified hacker exploited the web user interface in Cisco IOS XE and installed malicious backdoors in about 42,000 devices worldwide, security researchers estimate.

• American Hospital News informs us,
  • The CISA, FBI and Multi-State Information Sharing and Analysis Center this week alerted organizations to a critical vulnerability affecting certain versions of the Atlassian Confluence Data Center and Server that enables malicious actors to obtain access to victim systems and continue active exploitation post-patch. The agencies strongly encourage network administrators to immediately apply the recommended upgrades and recommended responses to indicators of compromise.”

• CISA added one more known exploited vulnerability to its catalog on October 16 and two more on October 19.

• HHS’s Health Sector Cybersecurity Coordination Center issued on October 18 an Analyst Note titled “Summary of Findings on Potential ServiceNow Vulnerability.”
  • “On October 14, 2023, a cybersecurity researcher claimed that there is a potential data exposure issue within ServiceNow’s built-in capability that could allow unauthenticated users to extract data from records.
  • “ServiceNow is a cloud computing platform to help companies manage digital workflows for enterprise operations, including the Healthcare and Public Health (HPH) sector. Types of data likely exposed include names, e-mail addresses, and internal documents from potentially thousands of companies.
  • “One cybersecurity company stated that around 70% of total instances seem to be affected in ServiceNow’s capability. The vulnerability has yet to be exploited by threat actors, but the likelihood that it will be is probable.”

• Bleeping Computer reports,
  • “Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
  • “Out of more than 1.8 million administrator credentials analyzed, over 40,000 entries were “admin,” showing that the default password is widely accepted by IT administrators.”

From the ransomware front,

• On October 19,
  • “CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated version of the joint #StopRansomware Guide. The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights.
  • “Developed through the U.S. Joint Ransomware Task Force (JRTF), #StopRansomware Guide is designed to be a one-stop resource to help organizations minimize the risks posed by ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
  • “CISA and its partners encourage organizations to implement the recommendations in the guide to reduce the likelihood and impact of ransomware incidents. For more information, visit CISA’s Stop Ransomware page.”

• Here’s a link to Bleeping Computer’s The Week in Ransomware.
  • “Cybersecurity researchers released interesting reports on ransomware, including:
    • “A new GhostLocker ransomware-as-a-service run by GhostSec.
    • “BlackCat ransomware use of a new ‘Munchkin’ Linux virtual machine in attacks.
    • “More ransomware gangs targeting Confluence servers.
    • “Analysis of Akira’s MegaZord encryptor variant.”

From the cybersecurity defenses front,

• The FEHBlog noticed that Security Week published a series of articles on this topic in October.
  • “Lost and Stolen Devices: A Gateway to Data Breaches and Leaks; By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.
  • Applying AI to API Security; While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs.
  • Addressing the People Problem in Cybersecurity; Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.

• HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rule, released its October 2023 Cybersecurity Newsletter, which concerns how sanctions policies can support HIPAA compliance.

• NIST “interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.”

• On October 18, CISA “National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.”  

• Dark Reading discusses “Change From Within: 3 Cybersecurity Transformation Traps for CISOs to Avoid.”