Articles

Government-mandated SBOMs to throw light on software supply chain…

The US government will soon require vendors to provide a software bill of materials to help ensure integrity of an application’s components.

President Biden’s executive order (EO) on cybersecurity, released on May 12, is a sprawling and comprehensive document that aims to redress weaknesses in the digital security ecosystem. It is peppered with nearly 50 actions that the federal government must take within extraordinarily tight timeframes, signaling the urgency of the cybersecurity crisis the country faces.

Several parts of the EO seek to shore up software security. This long-overlooked and arcane topic has taken on new urgency following the SolarWinds and Microsoft Exchange software supply chain hacks.

The first software security deadline in the EO, assigned primarily to the Commerce Department’s National Institute of Standards and Technology (NIST), is to publish a definition of what constitutes “critical software,” which in turn will trigger actions by other government agencies. NIST’s deadline for producing this definition is June 26, which is why the agency held a quickly organized workshop on June 2 and 3 attended by around a thousand interested parties.

Fifteen days after the release of NIST’s definition of critical software, another arm of the Commerce Department, the National Telecommunications and Information Administration (NTIA), will publish “minimum elements” of something that has been evolving over the past several years in the cybersecurity realm, a software bill of materials, or SBOM.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US Congress tees up ambitious cybersecurity agenda in the…

Roughly 115 cybersecurity-related bills are working their way through the legislative process, in many cases with bipartisan support.

The Biden Administration has been thrown into a thicket of cybersecurity troubles in its first six months, forcing the White House to issue complex cybersecurity executive orders, directives and policy changes in rapid succession. Congress, meanwhile, is teeing up an ambitious cybersecurity agenda of its own, sparking hopes that the recent spate of cybersecurity crises might break through the partisan logjam that has increasingly blocked meaningful legislative action.

Last week, Senator Majority Leader Chuck Schumer (D-NY) initiated a review of recent high-profile ransomware attacks in the run-up to new legislation. Then, Chairman Gary Peters (D-MI) and Rob Portman (R-OH), chair and ranking member of the Senate Homeland Security Committee sent a letter to national security adviser Jake Sullivan and Shalanda Young, the acting director of the Office of Management and Budget, asking the two officials to spell out within 30 days the legal authorities they think federal agencies need to combat ransomware attacks. Their responses could serve as the basis for new legislation to rein in ransomware.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Feds seize $2.3 million in cryptocurrency wallet reportedly used…

The successful seizure could encourage other victims to better cooperate with federal agencies and cause ransomware gangs to rethink their operations.

The Justice Department announced yesterday that it had seized 63.7 bitcoins currently valued at approximately $2.3 million that allegedly represents some portion of a May 8 payment by the Colonial Pipeline company to DarkSide ransomware attackers. Colonial Pipeline admitted paying the cybercriminals a total ransom of around $4.4 million in bitcoin to restore full functionality to its systems following the crippling ransomware attack announced by the company on May 7.

The Special Prosecutions Section and Asset Forfeiture Unit of the US Attorney’s Office for the Northern District of California seized the bitcoin wallet after a magistrate judge for the Northern District of California authorized a seizure warrant. News of the wallet seizure came as little surprise given that the DarkSide attackers themselves foreshadowed it when they announced in mid-May that the group lost control over some of its servers, including a payment server, and was shutting down due to “pressure” from the United States. At that time, DarkSide also stated that some of its funds had been withdrawn to an unknown account.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

TSA’s pipeline cybersecurity directive is just a first step…

The new, hastily announced security directive requires US pipeline companies to appoint a cybersecurity coordinator and report possible breaches within 12 hours.

The Transportation Safety Administration (TSA), an arm of the US Department of Homeland Security (DHS), released a Security Directive on Enhancing Pipeline Cybersecurity. TSA released the document two days after the Biden administration leaked the details of the regulations and less than a month after the ransomware attack on Colonial Pipeline created a significant gas shortage in the Southeast US.

As a result of post-9/11 government maneuvering, the TSA gained statutory authority to secure surface transportation and ensure pipeline safety. The directive follows largely ineffective, voluntary pipeline security guidelines established by the TSA in 2010 and updated in 2018.

This new regulation requires that designated pipeline security companies report cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) no later than 12 hours after a cybersecurity incident is identified. The TSA estimates that about 100 companies in the US would fall under the directive’s mandates.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

How the post-pandemic world will challenge CISOs

More permanent remote workers, requirements for protecting health data, and a more dangerous threat landscape await security teams as the COVID crisis ends.

CISOs will have to manage new security challenges in a post-pandemic world. Reconfigured workplaces and employee health considerations, as well as increased threats, have been foisted on organizations just as many security workers are feeling tired and stressed out, according to experts speaking at last week’s RSA Conference.

“When COVID first hit, we jumped in like ‘we do insecurity all the time.’ We went into firefight mode, and we’re good at it, and we practice it,” Helen Patton, advisory CISO of Cisco Secure and former CISO at Ohio State University, said. “We’re hitting the cadence of this going on for so long. You can feel the stress; you can feel the overworked-ness.”

More focus on work-life balance

“We’ve been running our folks way over 100% for 18 months, and there’s no end in sight to that,” Patton continued. “I think we have to get better at planning for the unexpected, which means planning for the team so that we’re not burning them out.”

The increased workload did have some upsides, Patton said. “I do think that as a result, we saw some good things coming out of it, which is just an appreciation for that work-life balance.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

SolarWinds, Exchange attacks revive calls for mandatory breach notification,…

Strong two-way communication between government and the private sector combined with a clear national breach notification policy will put a dent in cybercrime, experts say.

On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

“We seem to talk endlessly about information-sharing,” Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit that enables cybersecurity providers to share threat intelligence, said during a presentation at the RSA Conference last week. “Virtually every cybersecurity panel study or review for the last half-century seems to have an information-sharing recommendation in it. No one is really against information sharing in theory. Yet, information sharing never seems to quite work.”

“One of the reasons that companies feel uncomfortable talking about cybersecurity incidents or sharing information about cybersecurity incidents…is because they’re worried that somebody’s going to say, ‘Ha! You had terrible cybersecurity.'” Daniel tells CSO. “But the issue is that we actually don’t know what’s good or bad cybersecurity.” He calls for a “standard of care,” some better means of actually measuring what good cybersecurity constitutes.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Biden administration releases ambitious cybersecurity executive order

Though lacking in definitional clarity, this new executive order might be more effective than past federal efforts, especially in the wake of the Colonial Pipeline attack.

Capping a dramatic week that saw major oil pipeline provider Colonial Pipeline crippled by a ransomware attack, the Biden administration released a highly anticipated, far-reaching and complex Executive Order on Improving the Nation’s Cybersecurity. The executive order (EO) aims to chart a “new course to improve the nation’s cybersecurity and protect federal government networks.”

The ambitious document uses the SolarWinds and Microsoft Exchange supply chain hacks and the Colonial Pipeline ransomware infection as springboards for a series of initiatives that aim to minimize the frequency and impact of these kinds of incidents. These initiatives are:

  1. Remove barriers to threat information sharing between government and the private sector, particularly ensuring that IT service providers can share security breach information with the federal government.
  2. Modernize and implement stronger cybersecurity standards in the federal government, including a move to cloud services and zero-trust architectures and multi-factor authentication (MFA) and encryption mandates.
  3. Improve software supply chain security, including establishing baseline security standards for software development for software sold to the government. The Commerce Department must publish minimum elements for a software bill of materials (SBOM) that traces the individual components that make up software.
  4. Establish a cybersecurity safety review board consisting of government and private sector experts who convene following a significant cybersecurity incident to make recommendations, much like the National Transportation Safety Board (NTSB) does in the aftermath of a major transportation accident.
  5. Create a standard playbook for responding to incidents to ensure all federal agencies meet a standard playbook and set of definitions for incident response.
  6. Improve detection of cybersecurity incidents on federal government networks by enabling a government-wide endpoint detection and response (EDR) system and improved information sharing within the federal government.
  7. Improve investigative and remediation capabilities by creating cybersecurity event log requirements for all federal agencies.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Colonial Pipeline shutdown highlights need for better OT cybersecurity…

Experts weigh in on what the Colonial attack teaches critical infrastructure providers about preparation and incident response.

In one of the most disruptive cybersecurity incidents to take place in the United States, Georgia-based Colonial Pipeline announced late Friday that it was the victim of a cyberattack, later confirmed to be a ransomware attack. The company said it proactively took specific systems offline and halted all pipeline operations.

Colonial called in federal authorities and hired FireEye Mandiant to conduct an incident response investigation. On Sunday, the third day of its shutdown, Colonial said it was developing a system restart plan while keeping its four main oil lines offline. The company said it would bring its “full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”

News of Colonial’s shutdown reverberated all weekend throughout the cybersecurity world, given how critical Colonial’s pipeline business is to the nation’s economic health. Colonial transports 2.5 billion barrels of oil per day to the eastern US and connects to 30 refineries and almost 300 distribution terminals. It carries gas and other fuel from Texas to the Northeast, delivering around 45% of the fuel consumed on the East Coast.

The criticality of Colonial Pipeline to the national infrastructure became clear late Sunday when the Biden administration issued emergency waivers in response to the cyberattack, lifting limits on the transportation of fuels by road as fears of shortages begin to put upward pressure on oil and gas prices. Commerce Secretary Gina Raimondo said that the President had been briefed, and it’s an “all-hands-on-deck” situation to ensure the attack doesn’t disrupt the US oil supply.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by SELİM ARDA ERYILMAZ on Unsplash

 

Articles

Task force proposes framework for combatting ransomware

A diverse coalition of experts from business and the public sector present 48 recommendations for solving the ransomware crisis, including international cooperation and regulating cryptocurrencies.

Ransomware, the “perfect crime” of the internet era, is spreading rapidly, growing according to some accounts by 150% or more in 2020. There are no signs of a slow-down in 2021. The average ransom demanded by attackers jumped 43% from Q4 2020 to Q1 2021 to $220,298 as threat groups target bigger and more vulnerable organizations, from police forces to hospitals to municipal school districts.

Two significant factors aid the inevitability of ransomware. The first is the ease with which cybercriminals can earn money from their ransomware endeavors. The second factor bolstering the ransomware market is the inability of law enforcement or government officials to do much of anything about these kinds of attacks.

Acknowledging that the ransomware problem has gone from bad to worse, the Biden administration’s Justice Department has launched a task force that reportedly targets the entire digital ecosystem that supports ransomware. That task force consists of the Justice Department’s criminal, national security, and civil divisions, the Federal Bureau of Investigation (FBI), and the Executive Office of US Attorneys, which supports the 93 top federal prosecutors across the country.

Now a 60-plus member coalition of volunteer experts from industry, government, law enforcement, insurers, international organizations, and other areas has put forth a comprehensive framework of 48 actions that government and industry can pursue to disrupt the ransomware market. The Ransomware Task Force, primarily organized by the Institute for Security and Technology, is issuing a report today called Combatting Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Biden administration releases 100-day plan to address electric system…

The plan focuses largely on supply chain risks to the electric grid, requests input on the DOE’s role in coordinating cybersecurity efforts.

On April 20, the Biden administration, through the United States Department of Energy (DOE), issued what it is calling its 100-day plan to address cybersecurity risks to the US electric system. The plan is a coordinated effort among DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). It “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to US national and economic security,” according to the announcement.

The idea is that DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), working with utilities, will “continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.” To achieve this goal, the efforts undertaken in this “sprint” focus on encouraging power grid players to:

  1. Implement measures or technology that enhance their detection, mitigation and forensic capabilities.
  2. Deploy technologies that enable near real-time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.
  3. Enhance the security posture of their IT networks.
  4. Deploy technologies to increase the visibility of threats in ICS and OT systems.

This article appeared in CSO Online. To read the rest of the article please visit here.