Congress Digs into Dumpster Fire of Fed Cybersecurity

While there are plenty of private companies that were compromised by the SolarWinds attack, more importantly, many federal government departments and agencies including Treasury, State, the Nuclear Management folks, the FAA and others were compromised and information was stolen.

Congress is getting into the act; we will see if anything positive happens or Congress loses interest.

The GAO, the agency that used to be called the General Accounting Office and is now called the Government Accountability Office, is required by law to report on all government agency cybersecurity every two years.

This year’s report is not pretty. Your tax dollars not working so well, I guess.

The GAO says that agencies have failed to implement 750 recommended changes from the last report. Including some that might have stopped the Russians from pulling off the SolarWinds attack.

In a hearing this week, the House Committee on Oversight and Reform members appeared to be concerned about deteriorating federal cybersecurity.

This should not really be much of a surprise to anyone. The last administration didn’t seem to care much about cyber and even when there were attacks, they didn’t do anything unless if happened to mesh with some other political agency (like beating up China. But not Russia.)

Here is how the Committee Chairwoman summed up the situation:

“The vulnerability of federal and private sector systems, including critical infrastructure of the nation’s energy, transportation, communications, and financial sector, is absolutely staggering.”

We almost saw thousands of people killed last month when a water treatment plant in Florida was attacked. It was pure dumb luck that the attack was detected. While that was not the feds, it is still government.

The GAO says that they have made 3,300 cybersecurity recommendations since 2010. About 800 have not been addressed.

I think the biggest problem is people.

During the last administration, cybersecurity people ran, not walked, away from government positions because they did not want to deal with the politics and the bureaucracy.

Those people will never come back. They are making way more money in the private sector – which is another problem.

An indication of the magnitude of the problem —

The White House’s September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan were criticized for being rudderless. The plan detailed 191 activities that federal entities are to undertake, but did not include goals and timelines for 46 of them, identify resources needed to execute 160 of them, or specify a process for monitoring progress.

Remember that the federal government collects more of your personal information than even Google does. Taxes, healthcare, social security wage information – all kinds of information. If their security practices are that bad, the likelihood of them keeping that information safe is, well, close to zero.

We will see if Congress does anything. Credit: The Record

Right Wing Social Media Platform Gab.Com Hacked, Data Leaked

Last month, as Parler was being deplatformed by Amazon, it was hacked and many gigabytes of data were taken and later made public.

In what seems like a sequel, right wing free speech social media platform Gab.com was hacked and, again, data was stolen and later published.

It is reported that Gab is described as a haven for extremists including white supremacists, neo-Nazis, white nationalists, the alt-right and QAnon conspiracy theorists. If this is true, the data is probably of interest to a lot of people and may be “damaging” to the people who created it.

The site went down for a short period last week after saying there was an issue that only affected a few accounts.

When contacted by the media, Gab’s CEO said that there was no independent confirmation of the breach, which likely is true. That of course does not mean that they were not breached. He also said that they don’t collect much personal information. If what he means is that they don’t collect drivers license numbers, he is probably right, but if what he means is potentially embarrassing or criminal-charge-causing posts, well, then, he might be wrong.

The CEO did admit that the site was vulnerable to a SQL injection attack that they fixed last week (like maybe at the same time that they went off line????).

The 70 gigabytes of data that has been leaked (so far) includes public posts, private posts, user profiles, hashed passwords, direct messages and plaintext passwords for groups.

Could the data be used by law enforcement to see if there is a connection with the January 6th riots at the Capitol. Probably.

Compared to the Parler leak, this could be, potentially, much worse, since it claims to contain both private posts and direct messages.

We also don’t know if the 70 gig of data leaked is all that was stolen or just the first installment.

Bottom line, assuming that something that you post on a public social media platform will remain private is probably not a great bet. Credit: Hackread

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

Texas – The Post Mortem

Now that the power is mostly back on in Texas and the majority of people can drink the water, the what-iffing begins. This is relevant because Texas is far from alone. They just got caught this time and they will be pilloried – for the most part appropriately – as a result.

#1 – According to KHOU-11 in Houston, the number of ERCOT board members who have resigned so far is now up to 6. IT APPEARS THAT NONE OF THEM LIVE IN TEXAS.

#2 – Those of us who have studied this stuff know that nationally, the power grid is extremely fragile. In Texas it is even more fragile because they made a deal with the devil decades ago not to tie into either of the national power grids. They did that because Texans don’t like the federal government and by not connecting into the national power they escaped federal regulation. The folks that manage the Texas grid, ERCOT (note the R in ERCOT stands for reliability) said that the state was 4 minutes and 37 seconds away from a total meltdown when they pulled the power plug. Think about that for a minute. If they had a meltdown, the grid would likely have been down for at least weeks because, in part, it is hard to do a cold start – where they don’t have some power to start up the network. In part, also due to damage to equipment from the meltdown.

#3 – Homeland Security has been working for several years at figuring out how to deal with this (see #4 below), but it is a hard problem. Equipment is not standardized; most is not made in the U.S.; much of it is custom made to order and it might take a year to replace some of the damaged equipment.

#4 – Ever hear of Plum Island? Most people have not. It is a small island off New York’s Long Island. It is DHS’s private test bed for experimenting and training grid technicians on doing a cold start, especially when there is an adversary working against them. DHS and DARPA work together to use the island, which is it’s own power plant and power grid, to test theories and train techs, but how many techs do you think you can train? There are probably millions that need to be trained.

#5 – The Trump administration commissioned a study that reported three years ago that the US was in danger of a “catastrophic power outage”. The problem they said was an aging grid dependent on oil and gas (and no, not on wind turbines, solar panels or a mythical green new deal). Here is a quote from the Trump administration’s own report:

“After interviews with dozens of senior leaders and experts and an extensive review of studies and statutes, we found that existing national plans, response resources, and coordination strategies would be outmatched by a catastrophic power outage… that could leave large parts of the nation without power for weeks or months, and cause service failures in other sectors—including water and wastewater, communications, transportation, healthcare, and financial services—that are critical to public health and safety and our national and economic security.”

The report urged “significant public and private action”. What did the administration do? Nothing much.

The governor, who is under a lot of pressure right now, said the problem was due to green energy – wind turbines and solar. He didn’t point out that the Space Station is completely powered by solar (no oil up there) and it operates in a temperature range of minus 250 degrees to plus 250 degrees. Forbes says that wind turbines work in cold climates. Finland uses them and it gets pretty cold there.

The problem is that no one in Texas wanted to spend the money to winterize their grid, even after a smaller meltdown in 2011 and recommendations (but not mandates) to fix the problem.

#6 – The problem is that oil, gas and coal have to be replenished. Oil and gas have to flow through pipelines. Coal has to be transported, usually by train. If you lose the flow for some reason, the power goes off.

#7 – Other parts of the world were cold too. In Colorado it got down to minus 15 (way colder than Texas) in the Denver area and minus 30 in other parts of the state. Colorado uses green energy too. Note that there were no significant outages in Colorado. Why? Because the state was prepared for it.

#8 – It could have been a lot worse. As bad as it was in Texas, the grid only failed there. I grew up in the Northeast and I am old. I remember what is now called the great northeast blackout that started on the evening of November 9, 1965. New York activated 10,000 National Guardspeople and 5,000 police reserves that night to deal with the chaos. That blackout, along with a similar one in 2003, caused the feds to change the rules for utilities that they regulate. One thing they did was automate a lot of what was done manually because in that case, they only had seconds to do an orderly blackout instead of a meltdown. They were able to restore power in about 48 hours as I remember.

#9 – Texas is big into the concept of a free market economy. Like California before them, they deregulated the energy industry decades ago. As a result, some consumers were charged the going market rate for electricity. Electricity that normally cost 2 cents per kilowatt hour shot up to $9 per kilowatt hour. This means that some people got electric bills of $5,000, $10,000 or even $15,000 for the week of cold. Needless to say, Texas legislators are bearing the brunt of the upset from unhappy residents.

Bottom line, there was plenty of warning that this could happen, but no one – not the Texas regulators, legislature or governor or the national administration – did anything to mitigate the problem.

While we have only started dissecting the situation and there are a lot of investigations sill going on at all levels, including Congress, we already know many things that have to be done.

And, while Texas is in the spotlight, they are far from alone, so hopefully utility regulators in other states will make changes without having to have a meltdown.

I think we will have to wait and see.

New York Issues Cyber Insurance Framework

Early this month, New York’s Department of Financial Services, the regulator for banks and insurance companies, issued guidance on cybersecurity insurance.

Unfortunately, the guidance was not to insurance customers; it was for insurance companies.

The regulator is concerned that big breaches may cause insurance companies to go out of business.

DFS advised insurers against paying ransoms, in part because they may run afoul of new Treasury Department regulations that consider those payments aiding terrorists.

Insurance companies had to pay out almost $3 billion after the Not Petya attack for policies that didn’t say anything about cyber events.

DFS wants insurers to consider 7 specific practices. These practices are designed to help insurers understand risk, set prices and control payouts.

None of this helps clients.

Attacks like SolarWinds may cause insurers to exclude coverage to companies who bought insurance to get coverage.

ONE THING THAT CARRIERS ARE DOING IS MAKING COMPANIES COMPLETE SECURITY QUESTIONNAIRES AND IF THEY DON’T LIKE THE ANSWERS, THEY ARE EXCLUDING CERTAIN COVERAGES.

All this means that it is even more important than ever to have an insurance agent who is specifically knowledgeable in cyberrisk insurance.

Credit: <a href="http://

” target=”_blank” rel=”noreferrer noopener”>CSO Online

What the Heck is ‘Zero Trust’ Anyway?

If you read the security news or talk to security vendors, the buzz word of the year is ZERO TRUST. Many vendors tell you that they have the zero trust answer. The reality is a lot more complex.

Zero trust is not a product or even a family of products. It is not a platform. It is really a strategy built are one concept: “never trust, always verify:.

Vendors and their products are certainly a component of zero trust, but not a silver bullet.

Still, zero trust is a good idea and you should begin to understand it of you do not already.

One challenge with the traditional security strategy of “moat and drawbridge” is that the strategy worked reasonably well when you knew where the castle was. But today, there is no castle as people are everywhere and so are servers and services. Zero trust is designed to be flexible.

Zero trust is a journey. It requires education and research and even I can’t explain it in a blog post. Here are some things to consider in the zero trust journey.

  • Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 
  • Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 
  • Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Here is a tutorial on zero trust.

Credit: Forrester

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed