From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).
  • “The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.
  • The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.
  • “OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.”

• Here’s the entry in reginfo.gov
  • AGENCY: HHS-OCR. RIN: 0945-AA22. Status: Pending Review. Request EO Meeting
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    STAGE: Proposed Rule. SECTION 3(f)(1) SIGNIFICANT: Yes. RECEIVED DATE: 10/18/2024
    LEGAL DEADLINE: None  
    
• Fedscoop tells us,
  • “The Biden administration published its anticipated national security memo on artificial intelligence Thursday, establishing a roadmap that aims to ensure U.S. competitiveness with adversaries on the technology, while still upholding democratic values in its deployment. 
  • “Specifically, the memo details more responsibilities for the Department of Commerce’s AI Safety Institute, directs agencies to evaluate models for risks and identify areas in which the AI supply chain could be disrupted, outlines actions to streamline acquisition of AI used for national security, and defines new governance practices for federal agencies through a new framework.
  • “In remarks on the memo delivered Thursday at National Defense University, National Security Advisor Jake Sullivan highlighted the potential AI has for the country’s national security advantage but spoke in dire terms about taking action.
  • “The stakes are high,” Sullivan said. “If we don’t act more intentionally to seize our advantages, if we don’t deploy AI more quickly and more comprehensively to strengthen our national security, we risk squandering our hard-earned lead.”

• Per a NIST announcement,
  • “NIST has released an initial public draft (ipd) revision of Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths.
  • “NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance on transitioning to the use of stronger cryptographic keys and more robust algorithms.
  • “This revision proposes a) the retirement of ECB as a confidentiality mode of operation and the use of DSA for digital signature generation and b) a schedule for the retirement of SHA-1 and the 224-bit hash functions. This draft also discusses the transition from a security strength of 112 bits to a 128-bit security strength and to quantum-resistant algorithms for digital signatures and key establishment.
  • “The public comment period is open through December 4, 2024. See the publication details for a copy of the draft and instructions for submitting comments.”

• The Wall Street Journal reports,
  • “Four tech companies settled federal cases over allegations they misled investors about the extent to which they were compromised in the 2020 SolarWinds hack. 
  • “Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys didn’t admit wrongdoing in separate deals with the U.S. Securities and Exchange Commission, which found their financial disclosures played down what the companies knew about how their systems were affected by breached SolarWinds software. 
  • “Unisys agreed to pay a penalty of $4 million, and the other three companies will pay about $1 million each.
  • “In a breach disclosed in 2020, which the U.S. later attributed to Russia, hackers slipped malicious code into software from Austin, Texas-based SolarWinds. Thousands of customers inadvertently downloaded the malware. Moscow has denied involvement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop lets us know,
  • “The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.
  • “The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.
  • “Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.
  • “The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.”

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
• October 21, 2024
  • CVE-2024-9537. ScienceLogic SL1 Unspecified Vulnerability
• October 22, 2024
  • CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability
• October 23, 2024
  • CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability
• October 24, 2024
  • CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
  • CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
  • “Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
  • “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”

• Dark Reading informs us,
  • “Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world’s most notorious threat actor. An arm of the Russian Federation’s Foreign Intelligence Service (SVR), it’s best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft’s codebase and political targets across Europe, Africa, and beyond. Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior staff research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

• Per Bleeping Computer,
  • “Cisco fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.
  • ‘The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.
  • “A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 security advisory.”

From the ransomware front,

• Dark Reading points out,
  • “Nearly 400 US healthcare organizations have been infected with ransomwarethis fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.
  • “The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware’s most lucrative target sectors.
  • “The disruption that healthcare operations face when hit with ransomware attacks doesn’t just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.” * * *
  • According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.
    
• Cyberscoop relates,
  • “Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
  • “That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant. 
  • “Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
  • “Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.”

• Per Cybersecurity Dive,
  • “Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
  • “SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
  • “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.”

• Bleeping Computer alerts us,
  • “The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
    “Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
    “After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Microsoft Chair and CEO Satya Nadella asked for the board to reduce part of his annual compensation package to account for his role in how the company prepared for malicious cyberattacks that led to an overhaul of its internal security culture. 
  • “Nadella received more than $79 million in total compensation in fiscal 2024, which included a base salary of $2.5 million, about $71.2 million in stock awards and $5.2 million in non-equity incentive plan compensation, according to a filing with the Securities and Exchange Commission. The total included almost $170,000 classified as other compensation. 
  • “However, Nadella “asked the board to consider departing from the established performance metrics and reduce his cash incentive to reflect his personal accountability for the focus and speed required for the changes that today’s cybersecurity threat landscape showed were necessary,” according to a letter included in the filing from the compensation committee at Microsoft.” 

• Per Bleeping Computer,
  • Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.
  • The company also seeks to improve the system’s security and has expanded its security bounty program to include rewards of up to $1 million for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC.”
  • Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy.
    
• Cybersecurity Dive shares Gartner’s four ways AI could impact employees, workflows.

• Here is a link to Dark Reading’s CISO Corner.

• An ISACA commentator discusses “How the Emerging Technology Landscape is Impacting Cybersecurity Audits.”

• “In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.”

• Tripwire shares “Advanced Tips for Leveraging the NIST Cybersecurity Framework for Compliance.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
  • “Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
  • ‘On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.” * * *
  • “The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
  • “The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.”

• Federal News Network lets us know,
  • “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today [October 11], further paving the way for CMMC requirements to show up in contracts starting next year.
  • “The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.
  • “The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.”

• Per an October 3, 2024, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.
  • “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.” * * *
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html“
    
• Fedscoop notes,
  • “The Department of Health and Human Services is working on a new strategic plan for the use of artificial intelligence across the entire breadth of its mission, the department’s top AI official said Tuesday.
  • “Micky Tripathi — HHS’s acting chief AI officer and its assistant secretary for technology policy — said at the NVIDIA AI Summit in Washington, D.C., that the AI strategic plan should arrive sometime in January and that it will span “the entire, you know, sort of breadth of what the department covers.”
  • “During a panel discussion, Tripathi detailed the complex web of mission sets spanning “the value chain of life sciences and health care” that HHS oversees that the new strategic plan will attempt to wrap its arms around. Those include medical research and discovery, preclinical work, measuring the safety and effectiveness of medical products, health care delivery, health technology standards setting, human services, public health and more, he said.”

From the cybersecurity vulnerabilities and breaches front,

• Beckers Health IT informs us,
  • “In the past 12 months, 92% of healthcare organizations reported experiencing at least one cyberattack, up from 88% in 2023, an Oct. 8 survey from Proofpoint and Ponemon Institute found.
  • “Of those cyberattacks, 69% reported disruptions to patient care as a direct consequence.”

• The American Hospital Association News reports,
  • “The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint agency advisory on cyber operations by the Russian Federation’s Foreign Intelligence Service (SVR), also known as APT29, Midnight Blizzard, Cozy Bear, and the Dukes, targeting U.S. and global entities. The agencies recommend prioritizing rapid patch deployment and keeping software up to date to protect against cyberattacks.
  • “This alert highlights the SVR’s aggressive targeting of U.S. critical infrastructure for espionage and possible future offensive cyber operations,’ said John Riggi, AHA national advisor for cybersecurity and risk. “Although health care is not cited as being intentionally targeted by this SVR campaign, it is noted that any entity could become a target of opportunity if it has internet-facing vulnerabilities. The SVR takes advantage of opportunistic tactics to host malicious infrastructure, conduct follow-on operations from compromised accounts, or attempt to pivot to other networks on unprotected victim infrastructure. To mitigate this threat and other types of cyberattacks, such as ransomware attacks, it is imperative that health care entities prioritize patching internet-facing vulnerabilities, employ multi-factor authentication and follow the voluntary cybersecurity performance goals.”

• HHS’s Health Section Cybersecurity Coordination Center issued its September report on vulnerabilities of interest to the health sector.

• Cyberscoop points out,
  • “The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
  • “The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
  • “Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
  • “Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.”

• The Cybersecurity and Infrastructure Security Agency (CISA) alerted us on October 10,
  • CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.
  • CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.

• CISA added six more known exploited vulnerabilities to its catalog this week.
  • October 8, 2024
    • CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
    • CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
    • CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability
  • October 9, 2024
    • CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability
    • CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
    • CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

• Cybersecurity Dive adds,
  • “Ivanti released updates for three actively exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance, which hackers are chaining together with a previously disclosed path traversal vulnerability, the company said in a Tuesday blog post. 
  • “Successful exploitation of the flaws can allow an attacker to gain administrative privileges to bypass restrictions, obtain remote code execution or run arbitrary SQL statements. The vulnerabilities are listed as CVE-2024-9379, CVE-2024-9380, CVE-2024-9381. 
  • “Ivanti previously disclosed and issued a patch that would address the prior critical vulnerability, listed as CVE-2024-8963, on Sept. 10. The company said it discovered the path traversal vulnerability when it was investigating exploitation of an OS command injection vulnerability, listed as CVE-2024-8190.”

From the ransomware front,

• Tech Radar reports,
  • “The number of active ransomware groups over the last 12 months is on the rise as criminals look for more ways to target businesses, new research has claimed.
  • “The 2024 State of Threat Report from Secureworks has revealed a rise in the number of active ransomware groups over the last 12 months – identifying a 30% rise in the number of active groups.
  • “The figures represents a diversification of the landscape rather than a particularly drastic increase in criminals. Since the notorious Lockbit disruption, in which the most prolific group was briefly shut down, the ransomware ecosystem has evolved, with 31 new groups being established.” * * *
  • “One of the key findings from the report is that unpatched vulnerabilities remain the top Initial Access Vector (IAV) in ransomware attacks, making up almost 50% of all IAVs. This outlines more than ever the importance of staying on top of cybersecurity and software updates.”

• Per Security Affairs,
  • “Sophos researchers warn that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.
  • “In early September 2024, Veeam released security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
  • “The most severe flaw included in the September 2024 security bulletin is a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).”

• Palo Alto Networks Unit 24 tells us,
  • “In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.
  • “Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.”

From the cybersecurity defenses front,

• American Hospital Association cybersecurity expert John Riggi offers his perspective on this year’s cybersecurity challenges in the healthcare sector.

• “Moffitt Cancer Center was one of many health systems impacted by the Change Healthcare ransomware attack earlier this year. The organization’s VP of RCM operations [Lynn Ansley] explains [in Health Leaders] how she navigated the disaster.”

• Here is a link to Dark Reading’s CISO Corner.

• HHS’s 405(d) program shares an endpoints security poster with the public.

From the cybersecurity policy front,

• Healthcare Dive informs us,
  • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
  • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
  • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
  • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
  • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
  • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
• Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.

• Why? Beckers Health IT adds,
  • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
  • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”

• Cybersecurity Dive points out,
  • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
  • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
  • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”

• Per a NIST press release,
  • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
  • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

• Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

• Cybersecurity Dive lets us know,
  • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
  • “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
  • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”

• This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
  • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

• Cybersecurity Dive cautions,
  • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
  • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
  • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
  • “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

• Modern Healthcare tells us,
  • The number of healthcare providers affected by ransomware attacks is steadily growing. 
  • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.

• Bleeping Computer warns,
  • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
  • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
  • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”

• PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

• SC Media calls attention to “five ways to beef up network security and reduce data theft.”
  • “Rethink access control
  • “Raise the firewall game
  • “Take incident response seriously
  • “Tap into network visibility
  • “Segment the network
• “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  
• A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”

• Per a CISA press release,
  • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
  • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
  • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us
  • “A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.
  • “A total of 13 agencies [including the U.S. Office of Personnel Management] received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.
  • “Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.
  • “Agencies generally saw lower scores in the previous FITARA scorecard released in February.”

• KFF Health News gives low marks to the federal agencies responsible for protecting healthcare organizations against cyberattacks.

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
  • “Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.” * * *
  • “The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities. 
  • “The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.”

• Per a NIST press release,
  • “NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.
  • “The program will build on existing NIST expertise, research and publications such as:
    • “The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A); 
    • “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
    • “Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226); 
    • “Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
    • “Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
    • “A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

• Dark Reading reports,
  • “The Justice Department today [September 19] announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.
  • “According to unsealed documents, the botnet, known as Raptor Train, is operated by People’s Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.
  • A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “Ivanti warned Thursday of a critical path traversal vulnerability in Cloud Service Appliance, which is currently facing exploitation attempts by hackers. The vulnerability, listed as CVE-2024-8963, has a CVSS score of 9.4 and allows an unauthenticated hacker to gain access to restricted functionality.
  • “Ivanti previously issued a patch for CSA on Sept. 10., but the company said the path traversal vulnerability was discovered while investigating exploitation linked to an OS command injection vulnerability, listed as CVE-2024-8190. 
  • “The company warned that when the two vulnerabilities are used in conjunction with each other, a hacker can bypass admin authentication and execute arbitrary commands.” 

• Dark Reading tells us “Security Firm’s North Korean Hacker Hire was not an Isolated Incident; What happened to KnowBe4 also has happened to many other organizations, and it’s still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.” Check out the article.

• CISA added twelve known exploited vulnerabilities to its catalog this week.
  • “September 16, 2024
    • CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
    • CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability”
  • “September 17, 2024
    • CVE-2014-0497 Adobe Flash Player Integer Underflow Vulnerability
    • CVE-2013-0643 Adobe Flash Player Incorrect Default Permissions Vulnerability
    • CVE-2013-0648 Adobe Flash Player Code Execution Vulnerability
    • CVE-2014-0502 Adobe Flash Player Double Free Vulnerability”
  • “September 18, 2024
    • CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
    • CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution” Vulnerability
    • CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
    • CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
    • CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability”
  • “September 19, 2024
    • CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability”

From the ransomware front,

• Dark Reading informs us,
  • “Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
  • “Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
  • “In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group’s latest weapon: Inc ransomware.”

• Per Cybersecurity Dive,
  • “A special legislative committee in Suffolk County, New York, found officials ignored repeated warnings and failed to prepare ahead of a September 2022 ransomware attack that disrupted essential government services for months, in a report released last week.
  • “Officials blamed the ransomware attack on a failure of leadership, including the lack of an incident response plan and a failure to respond to FBI warnings of potential infiltration. 
  • “Suffolk County operated using a variety of IT teams and had no CISO, resulting in a lack of coordination on how to prepare for potential cyber threats. The attack has so far cost the county more than $25 million in remediation costs and other expenses.”

• Cyberscoop reports on a debate of experts at the 2024 mWISE conference about what more could be done to stop ransomware attacks in the wake of police action and tens of millions in ransom payments over the past year. 

From the cyber defenses front,

• Cyberscoop points out,
  • “UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems. 
  • “When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.” 

• Cybersecurity Dive adds,
  • “CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
  • “Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.” * * *
  • “Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
  • “The questions on Mandia’s CISO confidence test include:
    • How would you break into us? What is our weak spot?
    • What is our worst-case scenario?
    • What would you do if the worst-case scenario occurred?
    • How resilient are we? How long would it take to recover our systems and applications?
    • What do you need?
  • “Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
  • “I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.”

• Health Tech offers five steps to follow after a breach.

• Per Bleeping Computer,
  • “Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
  • “Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation.
  • “Among the benefits of Windows Hotpatching, Redmond highlights faster installs and reduced resource usage, lower workload impact because of fewer reboots over time, and improved security protection because it reduces the time exposed to security risks.
  • “Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month),” said Windows Server Director of Product Hari Pulapaka on Friday [September 20].”
    
    

From the cybersecurity policy front,

• Federal News Network tells us,
  • “White House officials are contemplating a new cybersecurity executive order that would focus on the use of artificial intelligence.
  • “Federal cybersecurity leaders, convening at the Billington Cybersecurity Conference in Washington this past week, described AI as both a major risk and a significant opportunity for cyber defenders.
  • ‘White House Deputy National Security Advisor Anne Neuberger called AI a “classic dual use technology.” But Neuberger is bullish on how it could improve cyber defenses, including analyzing logs for cyber threats, generating more secure software code, and patching existing vulnerabilities.
  • “We see a lot of promise in the AI space,” Neuberger said. “You saw it in the president’s first executive order. As we work on the Biden administration’s potentially second executive order on cybersecurity, we’re looking to incorporate some particular work in AI, so that we’re leaders in the federal government in breaking through in each of these three areas and making the tech real and proving out what’s possible.”

• Per a Labor Department Employee Benefit Security Administration press release,
  • “In its continuing effort to protect U.S. workers’ retirement and health benefits, the U.S. Department of Labor today updated current cybersecurity guidance confirming that it applies to all types of plans governed by the Employee Retirement Income Security Act, including health and welfare plans, and all employee retirement benefit plans.
    • “The new Compliance Assistance Release issued by the department’s Employee Benefits Security Administration provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants. The release updates EBSA’s 2021 guidance and includes the following:
    • “Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
    • “Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks. 
    • “Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.”

• Cybersecurity Dive lets us know,
  • “The White House Office of the National Cyber Director launched a program Wednesday to help fill the gap of about 500,000 available cybersecurity jobs across the country. 
  • “Service for America, a program developed alongside the Office of Management and Budget and the Office of Personnel Management, is a recruitment and hiring push that will help connect Americans with available jobs in cybersecurity, technology and artificial intelligence. 
  • “The program’s major emphasis is to reach job candidates without traditional qualifications, such as computer science or engineering backgrounds. 
  • “Many Americans do not realize that a cyber career is available to them,” National Cyber Director Harry Coker Jr. said in a blog post released Wednesday. “There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber.”
  • “In reality, Coker said people of all backgrounds can find well-paying jobs in cybersecurity, and the White House has been promoting efforts to connect a new generation of prospective candidates into those positions.”
• and
  • “Marsh McLennan and Zurich Insurance Group on Thursday [September 5] issued a call for government intervention to help resolve the growing risk of catastrophic cyber events and a multibillion dollar gap in terms of what the current insurance market can absorb. 
  • “The cyber insurance market has seen significant growth in recent years, and is expected to exceed $28 billion in gross written premiums in 2027, more than double the amount written in 2023, according to a whitepaper released by the firms Thursday.  
  • “However, the companies warn a risk protection gap of about $900 billion exists between insured losses and economic losses due to cyberattacks. Many small- to medium-sized businesses are either underinsured or carry no coverage to protect against such losses.” 

From the cyber vulnerabilities and breaches front,

• Per a Centers for Medicare Services press release,
  • “The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.  
  • “The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive health care services.
  • “CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response.”

• Cybersecurity Dive reports,
  • “Federal authorities in the U.S. and nine other countries warn that threat groups affiliated with Russia’s military intelligence service are targeting global critical infrastructure and key resource sectors, according to a joint cybersecurity advisory released Thursday. 
  • “Threat groups affiliated with a specialist unit of the Russian General Staff Main Intelligence Directorate have targeted government services, financial services, transportation systems, energy, and healthcare sectors of NATO members and countries in Europe, Central America and Asia, officials said in the advisory.
  • “To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional EU countries,” authorities said in the advisory. The attackers have defaced victim websites, scanned infrastructure, and exfiltrated and leaked stolen data.”

• The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog:
  • September 3, 2024
    • CVE-2021-20123 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability

• Dark Reading adds,
  • “This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.
  • “The vulnerabilities affect Baxter’s Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.”

• Per Cybersecurity Dive,
  • “Just over half of businesses in the U.S. and U.K. have been targets of a financial scam powered by “deepfake” technology, with 43% falling victim to such attacks, according to a survey by finance software provider Medius.
  • “Of the 1,533 U.S. and U.K. finance professionals polled by Medius, 85% viewed such scams as an “existential” threat to their organization’s financial security, according to a report on the findings published last month. Deepfakes are artificial intelligence-manipulated images, videos, or audio recordings that are bogus yet convincing.
  • “More and more criminals are seeing deepfake scams as an effective way to get money from businesses,” Ahmed Fessi, chief transformation and information officer at Medius, said in an interview. These scams “combine phishing techniques with social engineering, plus the power of AI.”

From the ransomware front,

• Tech Radar points out,
  • “Research from Searchlight Cyber has shown the number of ransomware groups that operated in the first half of 2024 rose to 73, up from 46 in the same period of 2023. The findings suggest law enforcement’s efforts to curb cyber criminal groups have seen some success, especially in disrupting the operations of notorious group BlackCat, which has since dissolved.
  • “Groups were targeted by law enforcement in ‘Operation Cronos’, which facilitated the arrests of two people, took down 28 servers, obtained 1,000 decryption keys, and froze 200 crypto accounts – all linked to the infamous LockBit organization.
  • “Although the number of groups has risen, the number of victims has fallen, which indicates a potential diversification rather than growth of ransomware groups. Other Ransomware as a Service (RaaS) groups such as RansomHub and BlackBasta have become more active, complicating the landscape for cyber security.

• Tripwire fills us in about Cicada ransomware.

• ‘Per Cybersecurity Dive,
  • “A previously disclosed cyberattack at Halliburton disrupted parts of its operations and information was stolen in connection with the incident, the company said in a filing with the Securities and Exchange Commission Tuesday. 
  • “Halliburton discovered the attack in late August and immediately shut off certain services as a proactive measure. It continues to offer its products and services across the globe, the company said.
  • “The Houston company has incurred and will continue to incur certain expenses related to the attack. However, it does not expect the attack to have a material impact on its financial condition or results of operations.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Cybersecurity professionals are reporting modest budget increases amid the need to defend against new hacking threats and secure emerging technologies such as artificial intelligence.
  • “Spending on cybersecurity is rising 8% this year, compared with 6% in 2023, according to a survey of chief information security officers published Thursday by cybersecurity consulting firm IANS and recruiting company Artico Search. The survey polled 755 CISOs from April into August, with 681 completing its budget section.
  • “Despite the small improvement, security spending is growing at a lower rate than the 17% increase in 2022. Still, the shift indicates a gradual recovery after companies slowed cyber spending and in some cases froze hiring after the pandemic, said Steve Martano, an Artico partner and IANS faculty member. 
  • “People are feeling more optimistic than they were six months ago,” Martano said, adding that more cybersecurity leaders are seeing small budget increases and there are signs the security job market will improve.”

• Dark Reading offers a commentary on “How CISOs Can Effectively Communicate Cyber-Risk. A proximity resilience graph offers a more accurate representation of risk than heat maps and risk registers,and allows CISOs to tell a complex story in a single visualization.”

• ISACA offers a commentary on “The Never-ending Quest: Why Continuous Monitoring is Crucial for Cybersecurity.”

• If you work for or represent a small or medium sized HIPAA covered entity or business associate, you may want to “register for an introductory webinar [to held on September 10 at noon ET and September 11 at 3 pm] on the free Security Risk Assessment Tool (SRA Tool) hosted by Altarum with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP). The webinar will also feature changes in SRA Tool version 3.5, available in September 2024.”

• Security Week shares a discussion between CSOs Jaya Baloo from Rapid7 and Jonathan Trull from Qualys about the route, role, and requirements in becoming and being a successful CISO.