SEC eyes more expansive cybersecurity requirements

New rules for publicly traded companies could add protections for consumer information, strengthen incident reporting, and require assessment of third-party risk.

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by lo lo on Unsplash



Biden memo aims to bolster cybersecurity in national security…

A national security memorandum places new cybersecurity requirements for reporting and preventing security incidents involving sensitive national security systems.

United States President Joe Biden issued a 17-page National Security Memorandum (NSM) yesterday containing new cybersecurity requirements for national security systems (NSS). The memo’s purpose is to ensure that these more sensitive systems employ the same or more stringent cybersecurity measures spelled out for federal civilian systems in Biden’s comprehensive cybersecurity executive order issued in May 2021.

National security systems are information systems, including telecommunication systems, that involve intelligence or cryptologic activities related to national security, command and control of military forces, weapons systems, other activity critical to the direct fulfillment of military or intelligence missions, and classified information related to national defense or foreign policy. This latest effort to boost cybersecurity follows the order issued last May and an NSM for critical infrastructure owners, a directive to bolster pipeline cybersecurity, and several other actions by the administration to prioritize cybersecurity following a year of growing threats and attacks.

This article appeared in CSO Online. To read the rest of the article please visit here.



Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here’s how events are unfolding along with unanswered questions.

On Saturday night, January 15, Microsoft shook the cybersecurity world with a report that destructive wiper malware had penetrated dozens of government, non-profit, and IT organizations in Ukraine. This news capped a week of mounting apprehension of cyberattacks in Ukraine that could presage or accompany a real-world Russian military invasion of the country.

Since January 11, several possibly interconnected developments related to Russia’s cybersecurity posture paint a complex and unclear portrait of what’s happening in Ukraine. The following is a timeline of these increasingly high-stakes developments:

January 11: U.S. releases cybersecurity advisory

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint cybersecurity advisory (CSA) providing an overview of Russian state-sponsored cyber operations. It covered commonly observed tactics, techniques and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.

CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.

This article appeared in CSO Online. To read the rest of the article please visit here.



Tech sector embraces public-private collaboration on open-source software security

Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”

The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.

This article appeared in CSO Online. To read the rest of the article please visit here.



CISA sees no significant harm from Log4j flaws but…

The U.S. cybersecurity agency can’t rule out that adversaries are using Log4j to gain persistent access to launch attacks later.

Officials at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) say that despite initial fears of widespread compromise, they have yet to see significant harm stemming from a vulnerability in the Java-based Log4j logging utility that became public in December. They can’t rule out that adversaries haven’t already used the vulnerability to monitor targeted machines silently, however, biding their time for later attacks.

“We’ve been actively monitoring for threat actors looking to exploit” the vulnerability, and “at this time we have not seen the use in significant intrusions,” Jen Easterly, director of CISA, said at a press briefing. “Adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise.”

However, the vulnerability has been exploited by threat actors in minor ways. “We are seeing some prevalence of what we would call low-level activities, such as installation of cryptomining and software installation of malware that could be used historically in botnets,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said.

This article appeared in CSO Online. To read the rest of the article please visit here.



FTC, SEC raise legal risks surrounding the log4j flaw

The U.S. Federal Trade Commission also threatened possible legal action for companies that don’t address the risk from the Log4j vulnerabilities.

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Tingey Injury Law Firm on Unsplash


Security leaders on how to cope with stress of…

The Log4j vulnerability puts great pressure on security teams already stretched thin dealing with ransomware and other attacks. This advice will help them cope.

The year 2021 was unprecedented in the strain it placed on cybersecurity professionals. From the beginning of the year through now, incident responders and network defenders have been whipsawed by a seemingly endless array of unparalleled back-to-back security emergencies. In the words of researcher Kevin Beaumont, “We’ve reached peak cyber for 2021. Please stop cybering.”

The year started with wide-scale remediation efforts stemming from the late-2020 discovery of the state-sponsored Nobelium cyber-espionage campaign that exploited SolarWinds’ widely used Orion platform. Amid the SolarWinds clean-up, security teams had to then grapple with the exploitation of four zero-day vulnerabilities in the Microsoft Exchange Server that sparked a global wave of hacks and breaches. Ransomware gangs accelerated their attacks on healthcare, education, and business organizations, culminating in significant incidents that brought down leading U.S. oil pipeline company Colonial Pipeline and the North American operations of a major meat supplier, JBS.

Thrown into this mix of high-profile incidents were dozens of other ransomware attacks, hacks, and espionage efforts affecting government bodies, healthcare providers, educational institutions, political organizations, and human rights workers across the globe. The Biden administration responded with a series of executive orders, directives, and new requirements for government agencies and critical infrastructure providers to turn the tide of the unrelenting digital malfeasance. At the same time, Congress stepped in with legislative measures to bolster the nation’s cybersecurity posture.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Elisa Ventur on Unsplash


NIST gears up for software security and IoT labeling…

Intended to help consumers make more secure software and IoT device purchases, the labeling guidelines are voluntary and self-policing at this time.

President Biden’s wide-ranging cybersecurity executive order issued last May directs the National Institute of Standards and Technology (NIST) to create pilot labeling programs to educate the public on the security of the internet-of-things (IoT) devices and software products they buy. The order requires NIST to produce by February 6, 2022, IoT cybersecurity criteria for a consumer labeling program and, separately, identify secure software development practices or criteria for a software labeling program.

To those ends, NIST held a workshop in September and solicited comments from stakeholders and experts. Based on the input received in these efforts and after issuing preliminary draft papers that outline various approaches, NIST issued draft Baseline Criteria for Consumer Software Cybersecurity Labeling on November 1 and a discussion draft on Consumer Cybersecurity Labeling for IoT Products on December 3.

After NIST produces both the IoT and software criteria in February, it will begin a labeling pilot testing phase. That phase will consist of NIST engaging with organizations that currently offer consumer labeling options. NIST says it may also decide to establish measures to demonstrate further proof of concept based on the criteria it publishes.

This article appeared in CSO Online. To read the rest of the article please visit here.


U.S. Cyber Command’s actions against ransomware draw support and…

The actions, which temporarily took down REvil, raise questions about using the military to combat ransomware.

Over the weekend, Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the National Security Agency (NSA), confirmed what most cybersecurity specialists already knew: The U.S. military has engaged in offensive measures against ransomware groups. These actions were undertaken to stem the alarming and growing tide of ransomware attacks that have hit U.S. industry, notably Colonial Pipeline in May, and have afflicted hundreds of healthcare and educational institutions.

In October, Cyber Command, in conjunction with the Secret Service, FBI, and allied nations, diverted traffic around servers used by the Russia-based REvil ransomware group, forcing the group to disband, at least temporarily. Among other attacks, REvil targeted the world’s largest meat processor, JBS, in late-May, disrupting meat production for days. Cyber Command and NSA also helped the FBI and the Justice Department seize and recover 75 bitcoins worth more than $4 million that were part of the cryptocurrency ransom Colonial Pipeline paid.

Nakasone said the attacks on Colonial Pipeline and JBS impacted critical infrastructure. “Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” Nakasone said. Cyber Command’s first anti-ransomware effort occurred in 2020 when the military arm worked in parallel, but not in a coordinated fashion, with Microsoft to take down the Trickbot network.

This article appeared in CSO Online. To read the rest of the article please visit here.


NIST workshop provides clues to upcoming software supply chain…

Experts at a NIST-sponsored workshop weigh in on what might be in the final version of the Biden executive-order-mandated supply chain security guidelines.

President Biden’s wide-ranging cybersecurity executive order (EO) issued in May aims to improve software security through a series of guidelines. As the EO directed, the National Institute of Standards and Technology (NIST) has produced a definition of what constitutes “critical software,” published guidance on security measures for EO-critical software use, and released guidelines on vendors’ source-code testing. On November 8,  NIST published preliminary guidelines for enhancing software supply chain security.

NIST recently held a workshop to discuss the guidelines’ provisions, which are due in final form by February 6, 2022. The EO asks NIST to produce its software supply chain security guidelines according to ten criteria, including secure software development environments; the generation of “artifacts,” which can contain a host of information about how the software was developed; the provenance or origin of software code and components; software bills of materials (SBOMs); vulnerability disclosure programs; and attestation to conformity with secure software development practices.

The workshop gathered experts to share their insights on some of the components currently contemplated for the final supply chain security guidelines.

This article appeared in CSO Online. To read the rest of the article please visit here.