FTC, SEC raise legal risks surrounding the log4j flaw

The U.S. Federal Trade Commission also threatened possible legal action for companies that don’t address the risk from the Log4j vulnerabilities.

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Tingey Injury Law Firm on Unsplash


Security leaders on how to cope with stress of…

The Log4j vulnerability puts great pressure on security teams already stretched thin dealing with ransomware and other attacks. This advice will help them cope.

The year 2021 was unprecedented in the strain it placed on cybersecurity professionals. From the beginning of the year through now, incident responders and network defenders have been whipsawed by a seemingly endless array of unparalleled back-to-back security emergencies. In the words of researcher Kevin Beaumont, “We’ve reached peak cyber for 2021. Please stop cybering.”

The year started with wide-scale remediation efforts stemming from the late-2020 discovery of the state-sponsored Nobelium cyber-espionage campaign that exploited SolarWinds’ widely used Orion platform. Amid the SolarWinds clean-up, security teams had to then grapple with the exploitation of four zero-day vulnerabilities in the Microsoft Exchange Server that sparked a global wave of hacks and breaches. Ransomware gangs accelerated their attacks on healthcare, education, and business organizations, culminating in significant incidents that brought down leading U.S. oil pipeline company Colonial Pipeline and the North American operations of a major meat supplier, JBS.

Thrown into this mix of high-profile incidents were dozens of other ransomware attacks, hacks, and espionage efforts affecting government bodies, healthcare providers, educational institutions, political organizations, and human rights workers across the globe. The Biden administration responded with a series of executive orders, directives, and new requirements for government agencies and critical infrastructure providers to turn the tide of the unrelenting digital malfeasance. At the same time, Congress stepped in with legislative measures to bolster the nation’s cybersecurity posture.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Elisa Ventur on Unsplash


NIST gears up for software security and IoT labeling…

Intended to help consumers make more secure software and IoT device purchases, the labeling guidelines are voluntary and self-policing at this time.

President Biden’s wide-ranging cybersecurity executive order issued last May directs the National Institute of Standards and Technology (NIST) to create pilot labeling programs to educate the public on the security of the internet-of-things (IoT) devices and software products they buy. The order requires NIST to produce by February 6, 2022, IoT cybersecurity criteria for a consumer labeling program and, separately, identify secure software development practices or criteria for a software labeling program.

To those ends, NIST held a workshop in September and solicited comments from stakeholders and experts. Based on the input received in these efforts and after issuing preliminary draft papers that outline various approaches, NIST issued draft Baseline Criteria for Consumer Software Cybersecurity Labeling on November 1 and a discussion draft on Consumer Cybersecurity Labeling for IoT Products on December 3.

After NIST produces both the IoT and software criteria in February, it will begin a labeling pilot testing phase. That phase will consist of NIST engaging with organizations that currently offer consumer labeling options. NIST says it may also decide to establish measures to demonstrate further proof of concept based on the criteria it publishes.

This article appeared in CSO Online. To read the rest of the article please visit here.


U.S. Cyber Command’s actions against ransomware draw support and…

The actions, which temporarily took down REvil, raise questions about using the military to combat ransomware.

Over the weekend, Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the National Security Agency (NSA), confirmed what most cybersecurity specialists already knew: The U.S. military has engaged in offensive measures against ransomware groups. These actions were undertaken to stem the alarming and growing tide of ransomware attacks that have hit U.S. industry, notably Colonial Pipeline in May, and have afflicted hundreds of healthcare and educational institutions.

In October, Cyber Command, in conjunction with the Secret Service, FBI, and allied nations, diverted traffic around servers used by the Russia-based REvil ransomware group, forcing the group to disband, at least temporarily. Among other attacks, REvil targeted the world’s largest meat processor, JBS, in late-May, disrupting meat production for days. Cyber Command and NSA also helped the FBI and the Justice Department seize and recover 75 bitcoins worth more than $4 million that were part of the cryptocurrency ransom Colonial Pipeline paid.

Nakasone said the attacks on Colonial Pipeline and JBS impacted critical infrastructure. “Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” Nakasone said. Cyber Command’s first anti-ransomware effort occurred in 2020 when the military arm worked in parallel, but not in a coordinated fashion, with Microsoft to take down the Trickbot network.

This article appeared in CSO Online. To read the rest of the article please visit here.


NIST workshop provides clues to upcoming software supply chain…

Experts at a NIST-sponsored workshop weigh in on what might be in the final version of the Biden executive-order-mandated supply chain security guidelines.

President Biden’s wide-ranging cybersecurity executive order (EO) issued in May aims to improve software security through a series of guidelines. As the EO directed, the National Institute of Standards and Technology (NIST) has produced a definition of what constitutes “critical software,” published guidance on security measures for EO-critical software use, and released guidelines on vendors’ source-code testing. On November 8,  NIST published preliminary guidelines for enhancing software supply chain security.

NIST recently held a workshop to discuss the guidelines’ provisions, which are due in final form by February 6, 2022. The EO asks NIST to produce its software supply chain security guidelines according to ten criteria, including secure software development environments; the generation of “artifacts,” which can contain a host of information about how the software was developed; the provenance or origin of software code and components; software bills of materials (SBOMs); vulnerability disclosure programs; and attestation to conformity with secure software development practices.

The workshop gathered experts to share their insights on some of the components currently contemplated for the final supply chain security guidelines.

This article appeared in CSO Online. To read the rest of the article please visit here.


Cyberwar’s global players—it’s not always Russia or China

Research reveals that countries such as Belarus, India, and Colombia are responsible for significant cyberattacks.

Over the past year, a string of high-profile cyberattacks coming from Russia and China has galvanized the United States and its western allies into taking swift action to counter the escalating incidents. Consequently, the SolarWinds spyware infiltration, the Microsoft Exchange hack, and ransomware attacks launched by criminal gangs harbored by the Kremlin dominate headlines and drive nation-state cybersecurity responses.

However, it’s not always Russia or China who are dangerous adversaries in the digital realm. Smaller threat groups from India, Iran, Belarus, Latin America, and Israel can hold their own when it comes to disruptive hacking or espionage operations. In addition, alleged “hacktivist” groups and threat actors of indeterminate origin engage in malign activities for often mysterious purposes.

Indian hackers pose as legitimate firms

Reuters journalists Chris Bing and Raphael Satter recapped at the recent Cyberwarcon event their ongoing investigation of a loose collective of Indian hackers that blur the lines between reputation management firms and outright hacking-for-hire services. Working for outfits such as Appin Security Labs and BellTrox, these hackers target lawyers, activists, executives, investors, pharmaceutical companies, energy firms, asset management companies, offshore banking entities, and high net worth individuals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Pete Linforth from Pixabay


Pentagon announces version 2.0 of its controversial CMMC program

CMMC 2.0 simplifies the process for SMBs, but critics say the verification process relies too much on self-attestation.

Last week, the Pentagon announced version 2.0 of its controversial and complex Cybersecurity Maturity Model Certification (CMMC). The CMMC is a training, certification and third-party assessment framework for defense industrial base (DIB) contractors. The goal of the CMMC is to provide cybersecurity requirements that DIB contractors must implement.

The Department of Defense (DoD) Introduced CMMC three years ago and adopted it in an interim format in September 2020. It was designed to replace the previous cybersecurity self-attestation of DIB contractors with third-party verification of compliance. An independent, tax-exempt organization, the CMMC Accreditation Body (CMMC-AB), was picked by the Pentagon to conduct the third-party verifications.

Number of security maturity levels cut from five to three

The first version of the CMMC spells out basic cybersecurity hygiene processes and practices in a complicated model framework of 17 domains mapped across five maturity levels: basic, intermediate, good, proactive, and advanced. CMCC 2.0 seeks to cut the “red tape for small and medium-sized businesses” by whittling down the need for accreditation and reducing the number of levels to three: Foundational, Advanced and Expert.

This article appeared in CSO Online. To read the rest of the article please visit here.


Infrastructure bill includes $1.9 billion for cybersecurity

Passage of the infrastructure bill includes $1.9 billion for cybersecurity, and more could be on the way with the Build Back Better and other bills working their way through Congress.

On Friday, Congress passed one of President Biden’s signature pieces of legislation, the $1 trillion Infrastructure Investment and Jobs Act. This landmark bill promises not only massive upgrades to the nation’s aging infrastructure but also boosts government cybersecurity spending by $1.9 billion.

Among its provisions is a new $1 billion grant program to help state, local, tribal and territorial governments protect themselves from malicious actors and modernize systems to protect sensitive data, information, and public critical infrastructure. The Federal Emergency Management Agency (FEMA), which runs the Department of Homeland Security’s (DHS’s) existing grant programs, will provide the funds over four years starting in fiscal year 2022, with the Cybersecurity and Infrastructure Security Agency (CISA) serving as a subject matter expert.

The bill also incorporates the Cyber Response and Recovery Act of 2021, which authorizes $100 million over five years to help the government quickly respond to cybersecurity intrusions. Another notable provision is $21 million in funding for the newly created office of the National Cyber Director (NCD) to hire qualified personnel to support its essential cybersecurity mission. The bill further requires the Environmental Protection Agency (EPA) and CISA to identify public water systems that, if degraded or rendered inoperable due to a cyber-attack, would lead to significant impacts on the health and safety of the public.

This article appeared in CSO Online. To read the rest of the article please visit here.


CISA releases directive to remediate dangerous vulnerabilities across civilian…

While the move is applauded, a short timeframe to address vulnerabilities will be a challenge for security resource-strapped agencies.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a wide-ranging mandate, a Binding Operational Directive (BOD 22-01), for all civilian federal agencies “to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries.” The goal of the BOD is to help agencies clarify and focus their remediation efforts in the face of thousands of discovered vulnerabilities – 18,000 in 2020 alone – and prioritize those deemed most dangerous for remediation.

The directive requires the agencies to remediate the vulnerabilities within specified time frames relying on a CISA-managed catalog of known exploited vulnerabilities. CISA says this directive enhances but does not replace BOD 19-02,  issued in April 2019 to address remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

This latest directive addresses non-internet-facing assets and applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. However, CISA strongly recommends “that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.”

This article appeared in CSO Online. To read the rest of the article please visit here.


Biden’s cybersecurity executive order, a progress report

Of the 46 tasks President Biden mandated to protect digital government assets, 19 are now completed, though not all agencies have reported their progress.

On May 12, 2021, President Biden released a comprehensive cybersecurity executive order, EO 14028, entitled Improving the Nation’s Cybersecurity. The complex order responded to a chain of startling and damaging cybersecurity incidents that primarily occurred during Biden’s first few months in office.

The EO gave several federal government agencies tight deadlines to produce new rules and guidance on stringent cybersecurity requirements that the White House hopes will better protect government offices from malicious digital activity. In addition, the administration designed the order to spur federal government hardware and software suppliers to ratchet up their security efforts to hang onto their government contracts. The hope is that by exercising the power of the purse, the federal government’s new rules would have a positive spillover effect for private sector organizations, too.

Cybersecurity EO mandates 46 actions

The order requires 46 actions to be carried out by the Commerce Department, the Department of Homeland Security (DHS), the Defense Department (DOD), the Office of Management and Budget (OMB), the National Security Agency (NSA), the Director of National Intelligence, the Attorney General, the Federal Acquisition Regulatory (FAR) Council, and other government-related entities. Exemplifying the whole-of-government approach favored by this White House, virtually all the tasks assigned under the EO require collaboration by multiple government agencies.

Some government agencies, notably the NSA, have made little to no public comment on some or all their tasks under the EO. Therefore, it isn’t easy to gauge how far along some actions are to completion. Moreover, the deadlines for at least 11 of those tasks have yet to arrive.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Christina Kirschnerova on Unsplash