Confusion Over Cyber Attack Response

The Washington Post had an eye opening story on just how bad things are when it comes to responding to cyber attacks. Based on a congressional review by the House Oversight Office of three very major cyber attacks (CNA, Colonial and JBS), we have some insight into why incident response preparation is so important.

#1 – Who should victims call in the government?

If you don’t already have the name and cell phone number of the person you are going to call if you need help, get that now. Establish a relationship and keep it active.

“Colonial was in contact with at least seven federal agencies or offices,” the committee found. “CNA was initially referred to one FBI field office before a different field office was designated as the primary point of contact.”

In the case of JBS, the company emailed the FBI. But it took several hours for a substantive reply, as the email was forwarded between case agents at the same field office who were trying to determine the right point of contact, investigators found. 

#2 – How are you going to handle the hacker’s timeline. The hackers say if you don’t pay in 24 hours, the ransom doubles, for example and in 72 hours we are going to publish your data. Are you ready to handle that? Assume that you don’t have access to email or any company files that are online or maybe even in the cloud.

Hackers with the REvil gang, for example, told JBS their $22.5 million ransom demand would double if it wasn’t paid quickly. They also threatened to post the company’s data publicly if they weren’t paid within three days. Eventually JBS negotiated paying an $11 million ransom. 

Colonial faced a similar threat of a doubled ransom after a set period of time. Hackers with the DarkSide gang amped up the pressure with a clock ticking down in the corner of the company’s computer screens. 

The feds really have to get their act together, but you can’t count on that happening so you need to take action yourself.

For some critical infrastructure, the feds are starting to collaborate with industry, but that is not going to help most companies.

This comes a day after an FBI law enforcement web site was hacked.

There is some good news. In the new $1 trillion infrastructure bill about $2 billion of that money, assuming it actually gets funded, which is less than one percent of that money, is allocated to cybersecurity.

In the case of these high profile attacks, the companies were not prepared. See more information at The Hill

ARE YOU PREPARED?

Implementing Zero Trust-Hopefully You Will Beat DoD’s Pace

Zero Trust is the new silver bullet in cybersecurity. Well, not really, but many people are treating it that way. However, it is an important positive and everyone should be looking into how they can implement it in their organization.

The DoD is about to open an office dedicated to implementing zero trust. It will have its own senior level executive and will get help from DoD’s CIO, Kelly Fletcher.

Whether this in direct response to SolarWinds or not, it is certainly the right time.

For DoD, and likely you, they plan to review and prioritize their systems and networks and create a plan to get all of them into a zero trust world. In the case of DoD, that means over the next 5-7 years. That is an insanely long time, even for an organization like DoD, but hopefully all sensitive systems will get priority and will be done much sooner than that.

Zero trust means don’t assume trust, always verify; even from a device that was verified some time in the past. It also means implementing least privilege and definitely removing admin permissions. If someone needs admin permissions, you should provision that in real time, just for as long as that permission is needed. That might mean just for a minute or two.

DoD is likely to actually move forward on this sooner than the other executive branch agencies since they have already started.

The recent Cyber EO requires that agencies prioritize the adoption of zero trust. Whether this would have stopped SolarWinds or not – I think not – it should dramatically slow don’t the hackers movement inside the network once they got in.

The Cyber EO is not magic. The government has underfunded IT and information security for decades and you cannot fix that overnight.

For many private sector companies, the same is true. Underfunded and cannot be instantly fixed.

But, if you don’t start, you will never get there.

Now is a good time to start. Credit: Data Breach Today

Security News for the Week Ending November 12, 2021

Feds Having Some Success In Going After Hackers

The DoJ announced the arrest of a Ukrainian who is accused of deploying ransomware on behalf of the REvil ransomware gang. They also seized $6 million in cryptocurrency. The Ukrainian was arrested in Poland (crooks are not smart. If you are in the crosshairs of U.S. law enforcement, do not go to countries with extradition treaties with us. They also arrested other REvil affiliates in Romania and Kuwait. Understand while this is all good, it is also a drop in the bucket with regard to the amount of cybercrime affecting us. Credit: Bleeping Computer

State Department Sends Emergency Employee Message: Change Passwords

On Tuesday afternoon the State Department sent out an official text message to employees telling them to change passwords now and increase the length from 12 to 16 characters. They are not even confirming the message but the only logical conclusion is that they were hacked. Credit: Just the News

Missouri Apologizes for Governor’s Political Stunt

After the St. Louis newspaper discovered that a state website that allows the public to check on teachers’ credentials was leaking the personal information of hundreds of thousands of teachers, the governor tried to get the newspaper and the reporter arrested and charged with hacking. He even ordered the highway patrol to investigate the crime. Now the state’s department of education is apologizing to the teachers and offering them credit monitoring. The governor said that the newpaper’s hacking was going to cost the state $50 million. Turns out the cost is really $800,000. And the highway patrol is still investigating. The Governor has not apologized. Credit: ZDNet

Dutch Newspaper Accuses US Spy Agency of Orchestrating 2016 Booking.com Breach

Booking.com was hacked in 2016 and they did not disclose the breach. The newspaper says that Booking.com relied on advice from law firm Hogan Lovells saying they did not have to disclose it. The hackers came across a poorly secured server with customer PINs which allowed them to steal the information. The company asked the Dutch spy agency for help after an internal investigation tied the hacker to US spy agencies. The company acknowledged that it did not disclose the breach and that was consistent with the laws in effect at the time. This hack looks very similar to an attack that Snowden disclosed eight years ago. Credit: The Register

13 Security Bugs Impact Important Healthcare Devices

Researchers have published details of a suite of 13 vulnerabilities in the Nucleus real time operating system from Siemens that is used across many industries including healthcare, automotive and aerospace. Called Nucleus:13, the flaws affect the TCP/IP stack, a common attack vector in these type of operating systems. This revelation is part of a larger investigation into TCP/IP software which discovered 78 vulnerabilities in 14 different TCP/IP stacks. A different research team found 19 flaws in a different TCP/IP stack. Siemens has released patches for the current versions of the OS, but there is no way for an end user to know what version is in their medical device – that is until software bills of material become legally mandatory. Credit: Bleeping Computer

Feds Scramble for Easy Fix To Ransoms

Congressman Patrick McHenry (R-NC) introduced the Ransomware and Financial Stability Act (HR 5936) this week which would make it illegal for financial institutions to pay ransoms over $100,000 without first getting the government’s permission.

McHenry, the top Republican on the House Financial Services Committee, introduced the bill yesterday.

He said that ransomware payments in the U.S. totaled more than $1 billion since 2020. He didn’t answer where he came up with that number.

The FBI says ransomware payments between 2014 and 2020 totaled $140 million. Not sure where the other $860 million came from.

He says that the bill will help deter, deny and track down hackers who threaten the financial institutions. I am sure that a new law will make all of those hackers in Russia and North Korea shake in their boots. I am also not clear why not paying ransoms would help track down hackers.

If the bill passes, it will mandate the following:

  • Financial institutions will have to notify Treasury’s FINCEN before making a ransomware payment
  • It would prohibit financial institutions from paying a ransom in excess of $100,000 with prior approval from law enforcement or the President, if he/she determines it is in the country’s national interest

The bill says that ransomware payment reports would remain confidential, something the government is great at, except that there is an exception to that in the case of the government or the courts.

Of course there are two sides to prohibiting these payments.

On the pro ban side, they it is no different than paying bribes or paying pirates.

On the anti ban side, there are those who say it is not the government’s decision and paying the ransom may be dramatically less expensive than not paying it.

RAND has suggested that banning ransom payments is similar to the U.S.’s no-concession approach to giving in to kidnapping demands, which RAND says does not work.

The FBI said that ransom payments should not be banned.

Usually the reason that companies choose to pay the ransom is that it is less expensive. Often 10x or 50x less expensive. The bill, which makes saving that money impossible, does not compensate financial institutions for the decision that the government will make for them.

The only good news is that he does not have any co-sponsors and there is no Senate version.

Credit: Threatpost

Privacy and China – In the Same Sentence?

China’s residents are not used to online privacy – from one of the world’s most repressive and invasive regimes, but there is now an online privacy law called PIPL (Personal Information Protection Law).

It went into effect on November 1 and it will change how companies do business in China – but it won’t change a thing about how the government snoops.

While it may affect local Chinese companies like WeChat, TikTok and others, it will also affect how foreign companies do business in China.

Overseas companies may be blacklisted, which of course could escalate tensions.

Already Yahoo announced it was leaving China and Microsoft’s LinkedIn said it was replacing what we think of LinkedIn with a vanilla job board.

There are a lot of similarities between GDPR and PIPL. In some cases the language was lifted. Right to access your information. Right to correct. Right to Delete. Right to withdraw consent.

Fines can be as high as 50 million yuan ($7.8 million) or 5 percent of annual revenue.

The PIPL regulator is a state agency – the Cyberspace Administration of China. Not exactly independent. Or neutral.

The law now requires companies that collect a lot of data (amount undefined) must store their data in China.

Now that Microsoft and Yahoo have left, who remains is Apple. Apple has created a reality distortion field to keep doing business in China. Possibly this is because of all the manufacturing that it does there and the rare earth minerals it needs from China. In any case, they already conceded the privacy of Apple users years ago.

Companies that want to export data have to go through a security review.

One thing that may be a result of China’s law is that other countries, particularly those in Asia, may also decide that companies have to keep data locally. Vietnam and India are already considering similar rules. Maybe others will follow.

For foreign companies (such as U.S. ones), that could mean changing their business models, their technology stack or even their algorithms.

Or, they may choose to not do business in some countries.

The result could turn the world into a bunch of data islands. Do I care if I don’t see data from people in China? I don’t think so. Not sure that is a horrible result but for some companies it messes with their revenue. Worse yet, it makes them make really hard choices like Apple did. Or it can cause other countries to retaliate. Stay tuned, this battle is far from over. Credit: Wired

CMMC 2.0 is Coming – In a Year or Two

CMMC just became more complicated or more simple.

The feds published an advance notice of proposed rulemaking (ANPR) for CMMC 2.0 and then just as quickly, unpublished. The Federal Register, the place were office notices are published only said that they asked for it to be unpublished.

So people saw the ANPR for about 18 hours and here is what they saw:

  • CMMC Levels 2 and 4 would be removed. Since DoD already said they don’t plan to use them, that is not a big deal.
  • CMMC Level 1 would be a self assessment. Whether this is important depends on the consequences of lying. After all, the current 800-171 is pretty much a self assessment.
  • The process maturity sections of CMMC would go away. This is a big loss because without process maturity you really haven’t integrated security into the culture.

There seems to be a big disconnect between what is CUI and what is not. I was involved in a long conversation today where the customer of a three letter agency was saying, in their contract, that the names and personal information of contractor employees was CUI.

For now all assessments and certifications are on hold.

It also means that all of the companies in the CMMC ecosystem, from trainers to certifiers, are wondering about their investments. Some invested a lot of money.

On the other hand, DFARS 252.204-7012 and its underlying requirements of NIST SP 800-171, which is about 80% of CMMC version 1, Level 3, is still there and does not appear to be going away.

Was the release of CMMC 2.0 a mistake? A trial balloon? Intentional sabotage? No one is saying.

Personally, I think it was a trial balloon, but who knows.

Reports are that it will take the feds at least a year from now to develop the regulations behind CMMC 2.0 and that assumes that it doesn’t change from what was leaked. Of course, that is just a rumor. For all we know it could drop next week.

What we do know is the pilot program is suspended and contract requirements are being removed.

It is our recommendation that customers who are not fully compliant with 800-171, which your contract says that are currently certifying that you are, need to continue working towards becoming fully compliant. The DoJ announced two weeks ago that they intend to prosecute folks who lie about that. How aggressive that is going to be is unknown. What is known that the feds currently make around $5 billion a year from these prosecutions. Great revenue stream. And, whistle blowers can get up to 30 percent of that.

WE ALSO DON’T KNOW IF THIS IS REALLY CMMC 2.0 OR MERELY A POSSIBLE SUGGESTION OF WHAT’S NEXT

Here is what other people are saying.

JDSupra says that the Pentagon is suspending the pilot and the DoD is evaluating how it could “provide incentives” to companies that voluntarily get certified in the interim. That is a different twist. Do it now and we pay for it, do it later and you pay for it? Interesting.

They also say the self certification is for “some circumstances”.

Finally, they say that the new level 2 would be split into prioritized programs which will require third party certification and other programs which will require annual attestations by corporate officers, similar, I am guessing, to Sarbanes Oxley. People who lie there could be prosecuted, jailed or debarred.

They are also saying that it is possible that there may be a waiver process for some particular controls.

A lot of unknowns.

The Pentagon has some very high level stuff at the Office Of Acquisition and Sustainment’s website, even though it is rumored that they will be losing management responsibilities of the program. It may be moving over the the DoD CIO, but that is currently a rumor. What is a fact is that A&S has not done a great job over the last year. They say that the Pentagon wants to simplify things for small businesses, which is good, while protecting the national security, which is hard.

In the meantime, the Chinese, Russians, North Koreans and others continue to rob us blind.

Is everything clear?

Good!

So, as I said, work on 800-171 compliance and stay tuned. Could be tomorrow, could be a year from now.

SORRY!

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed