Useful Reference Material
We have collected reference material from a variety of sources that we think may be useful to you.
These materials may be copyrighted, so please use them appropriately. If they are copyrighted, we may provide a link to the document rather than the document itself. Under the US Constitution, the Federal Government is not allowed to own a copyright, documents created by the Feds can be used without restriction. State and local governments may copyright material created with taxpayer dollars (go figure). The newest item is on the top.
DHS/CISA Releases Guidance on Identification of Essential Critical Infrastructure Workers During Covid-19 Response
CISA released recommendations on who should be considered critical when it comes to Covid-19 response. This is in relation to shelter in place guidance and similar restrictions that might be implemented during the Covid-19 recovery. The list is quite long ranging from a cafeteria worker supporting critical infrastructure to an oil refinery technician. Here is the memo.
NIST Releases Draft Guidance on IoT Security for Manufacturers
Now that both California and Oregon have laws requiring reasonable security for IoT devices (see JDSupra for information on the California law and National Law Review for information on the Oregon law). Since these laws are a little loose on the definition of reasonable, NIST has stepped in to fill the void. Here is their most recent draft for manufacturers for reasonable.
FBI Releases Private Industry Notification (PIN) on Business Email Compromise Losses
Cyber criminals are targeting organizations who utilize Microsoft Office 365 and Google G Suite to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses. THIS ONLY INCLUDES LOSSES THAT WERE REPORTED TO THE FBI, SO THE REAL NUMBER IS MUCH LARGER. A copy of the PIN can be found here.
California AG Releases Updated CCPA Guidelines
With CCPA now the law in California, the next major milestone is enforcement. Enforcement will start on July 1st. The Attorney General released a set of draft regulations late last year and received many comments. Now they have released an updated set of regulations (a redline), available here. The comment period lasts until February 24th and it is anticipated that the final regulations will be released in April or May.
Some key points of the modified regulations are:
- Slightly limits the definition of personal information (excludes IP addresses NOT linked to users)
- Better defines what reasonably accessible policies and notices means
- Clarifies the just in time notice of data collection requirements
- Removes the requirement of using a web form as one of the two methods to contact companies
- Reduces the “search” obligation for data which is not maintained in a searchable manner. Companies need to be careful to claim data is not searchable if it is
- Provides examples of opt-out buttons
- Simplifies the notice for data brokers who buy data from others
Still there are a lot of unknowns and we will likely not understand them for a while.
NIST Releases Draft “Key Practices Cyber Supply Chain Risk Management” Report
NIST IR 8276 outlines key recommendations for cyber supply chain risk management. Glad someone besides me is beating that drum :). The key practices, NIST says, can be used by organizations of any size to create a robust cyber supply chain risk management (C-SCRM) program. The draft is available here.
New FIRRMA/CFIUS Final Rules Published
On January 13, 2020, the U.S. Department of Treasury (Treasury) finalized implementation of the Foreign Investment Risks Review Modernization Act (FIRRMA) by issuing two final rules that expand the authority and responsibility of the Committee on Foreign Investment in the United States (CFIUS) to determine whether a foreign investment in U.S. businesses poses a risk to national security.
As explained below, the first rule covers CFIUS’s jurisdiction to review investments by foreign persons in U.S. businesses, including sections previously covered by the critical technologies pilot program; the second rule covers CFIUS’s jurisdiction to review transactions involving certain U.S. real estate. Except for a few notable changes, the final rules substantially track the proposed rules published on September 17, 2019 and will go into effect on February 13, 2020.
A summary of the changes can be found at https://www.lexology.com/library/detail.aspx?g=ddadebdb-bce5-419b-929a-49db189b5104 .
It’s Heeeeeeere! – Pentagon Releases CMMC Version 1.0
Meeting their self imposed deadline (barely) as they have done with every other deadline they have created, the gov released version 1.0 of the Cybersecurity Maturity Model Certification document this week. It appears they are serious about it.
Next comes the process for training and approving certifiers.
For companies who sell to the government (civilian or military) or who sell to those who then sell to the government, we recommend you take this seriously.
FDIC and OCC Publish Cyber Warning in Financial Institution Letter
The FDIC and OCC released an interagency Letter (FIL) on heightened cybersecurity risk as a result of the Middle East tensions. They say that the current environment provides an opportunity (yes, their word) for banks to re-evaluate the adequacy of safeguards to protect against various types of cybersecurity risk. The document attached to the Letter provides details of recommended actions to take. Normally, FILs apply to financial institutions over $1 billion in total assets. The FDIC says that this Letter applies to all institutions. The advice in the Letter is actually appropriate for all businesses. The Letter can be found here and the attachment can be found here.
Get Ready for the Cousin of the NIST Cybersecurity Framework
I am not sure if it is a son, daughter or cousin, but NIST has released version 1.0 of the NIST Privacy Framework. For those who are familiar with the NIST Cybersecurity Framework, this will look very familiar. It is comprised of the “core”, profiles and implementation tiers. Like the NIST Cybersecurity framework, it has 5 functions. In the case of the privacy framework those 5 functions are Identify, Govern, Control, Communicate and Protect. The functions are broken down into categories and the categories are broken down into sub-categories. A copy of version 1 can be found here.
FBI Releases More Alerts Re: Iran
The FBI has released two more notifications on cyber risk related to Iran. These are classified WHITE, so they can be publicly posted. The first is a notice on Iranian cyber tactics and techniques and the second is an alert about specific phishing activities of people at Iran’s Mabna Institute. The FBI says that Mabna hackers target organizations using cloud based applications – which sort of means everyone. The number of alerts from the Feds – FBI, DHS, CISA and others – likely indicates that they have other classified intelligence which paints a less than optimistic picture.
Escalating Tensions Between the United States and Iran Pose Potential Threats to the Homeland
The Feds are working really hard to get the message out that this is not a time to lay back and hope you do not get attacked. They say, in this joint intelligence bulletin (JIB) that the Government of Iran has the potential to launch lethal attacks. The JIB is marked For Official Use Only (FOUO) but the FBI has confirmed and reconfirmed that we can treat this as TLP:WHITE, which means unrestricted distribution, hence I am able to post this one here.
UK ICO Releases Draft Guide on Data Subject Access Requests
The UK Information Commissioner’s Office released draft guidance on complying with with GDPR calls a Data Subject Access Request (DSAR). While CCPA doesn’t have a name for when people ask for a copy of their data and the rules vary between CCPA and GDPR, this is still good reading for figuring out how you are going to set up your CCPA program. In many cases, the information in the guide is specific to GDPR (which is fine if you must comply with GDPR), but even so, it is useful to bring up questions as you create your internal CCPA compliance guide. Read the guide here.
NIST Publishes Guide to Protecting BGP Connections
For those of you not familiar with BGP (Border Gateway Protocol), it is the protocol used by all Internet Service Providers and many businesses to make their Internet connections more resilient by allowing the connection to move from ISP to ISP or data center to data center transparently to the users. Unfortunately, BGP was designed in the late 1980s by two engineers from Cisco and IBM on three napkins (see picture below) that still hang on the wall in Cisco’s offices.
Needless to say, nothing on those three napkins addressed the security and nothing still does, much to the glee of China and other state sponsored terror-hackers who take over Internet connections on a regular basis.
The National Institute of Standards and Technology has issued recommendations this month on ways to protect your BGP connection from being hijacked. While none of these are simple, losing control of your Internet connection can be a very serious event, so we recommend that you review NIST’s recommendations and implement some of the recommended controls. A copy of the recommendations can be found here.
EFF Publishes Guide to Corporate (Web) Surveillance
The Electronic Frontier Foundation published a guide to understand how businesses track users on the web, their phones and in the physical world. It also explains how advertisers bid for that information. Finally it discusses how to fight back. Interesting reading for sure. You can find a copy here.
Advisory on New Commerce Rules Regarding Supply Chain Are Ambiguous
and Hard to Plan For
The Department of Commerce (DoC) has issued guidelines in alignment with President Trump’s EO going after China’s 5G telecom business, but kind of like the new CFIUS guidelines, the view of government review is very expansive. Unlike the new CFIUS guidelines, for which there are 300 pages of guidance, the DoC guidelines were clearly thrown together in a couple of weeks and is kind of like the court’s view of porn – we can’t define it, but we know it when we see it. Commerce says that they are going to review on a case by case basis deals, which means that companies that do business internationally have no way to understand what deal might be allowed and which ones won’t be. Read Alston & Bird’s analysis here.
DHS and Mitre Create Top 25 Reported Software Vulnerabilities
Mitre, who runs the National Vulnerability Database as part of DHS’s CERT (Computer Emergency Response Team), analyzed 25,000 REPORTED vulnerabilities from 2017 and 2018 (and note that 25,000 represents a subset of the total vulnerabilities discovered during those years). They then categorized the vulnerabilities by type and created a top 25 list. The list is available here, but it is a but difficult to understand, so I created a word document combining two tables. The idea behind this list is that these are the actual top 25 vulnerabilities that were reported to DHS in 2017/2018 by volume, unlike other lists that are based on people’s opinions. The Word document can be found here.
Secret Service and DHS/CISA Release Secure Online Shopping Tips for the Holidays
Courtesy of the US Secret Service and the Department of Homeland Security (CISA), here are some tips for a safer and more secure holiday online shopping experience – for both CONSUMERS and BUSINESSES. Sorry, it doesn’t contain Cyber Monday sales links :).
Details of Comcast Lobbying Against Losing Access to DNS Data
Now that Google and Mozilla have announced plans to encrypt DNS traffic, the ISPs like Comcast who use that data to sell ads are doing a full court lobbying press to try to maintain access to your data, even if it means outright lies. I have posted a leaked a slide deck that that they have been using to Congress on why keeping your DNS data private must be a Russian plot or something. Even though most of the deck is half-truths and outright lies.
CISA Has Released “Protecting Against Malicious Code” Tips
CISA (DHS) releases tips as part of their National Cyber Awareness System (NCAS) from time to time. This tip covers protecting yourself against malicious code. While this is a pretty basic document, it would be useful to distribute to employees to use at home. You can find the document at https://www.us-cert.gov/ncas/tips/ST18-271
Cisco Releases Guides for Incident Responders
Cisco, being one of the largest network gear vendors in the world, runs much of the Internet and corporate networks, so anytime Cisco does something, it is big news for everyone.
Recently Cisco released for “first responder” documents:
- Cisco IOS XE Forensic Investigation Procedures
- Cisco IOS Forensic Investigation Procedures
- Cisco ASA Forensic Investigation Procedures
If you run Cisco gear in your network, this is an important set of documentation for you to have.
NIST Releases Draft Privacy Framework
Using a similar model to what they did for the NIST Cybersecurity Framework, NIST is working on a NIST Privacy Framework. The most recent draft was released on September 6th and expect the final version soon. Like the NIST CSF, this is a voluntary framework, but it will likely be popular for folks trying to figure out how to manage privacy requirements in a very complex world. A copy of this draft can be found here.
As I said below, as we see advisories on CCPA, we will either post them here or link to them.
- Alston & Bird – 21 CCPA talking points. They came up with some very interesting details.
California AG Releases Guidance on CCPA Rules
Now that the legislature has adjourned, the AG has released two documents on CCPA. One is their proposed regulations (24 pages) and the other is their legal justification for those regulations (97 pages). For those who were hoping there would be a lot of clarity, I am sorry to disappoint you. There is some clarity, but not a lot. Law firms around the country are dissecting this, so we will get more interpretation from them (as to what they think they can defend in court). As we get more information from our law firm sources, we will share it with you.
This does however start the timer. The law says that enforcement of the law begins the earlier of 6 months after the AG releases regulations or July 1, 2020. The countdown has begun, ladies and gentlemen.
DHS’s CISA Releases Tips on Avoiding Social Engineering and Phishing Attacks
This two page tip sheet is a useful employee training aid on what is phishing, vishing and smishing, how to avoid being a victim and what to do if you think you are being attacked. The tip sheet is available here.
DHS’s CISA Releases Microsoft Office 365 Security Guidance
DHS’s CISA says that in their consulting they have seen that many organizations have not optimized the available Office 365 security options. See their recommendations here.
Explanation of the CJEU Decision Regarding Using Pre-Checked Options and How it Affects Informed Consent
EU’s highest court, the Court of Justice of the EU, handed down a decision in the case of German Lottery provider Planet49 and it’s use of pre-checked boxes on a web site to pretend that a user actually intended to give Planet49 permission to use their data. The court didn’t agree that this complied with GDPR and the ePrivacy directive. For a great explanation of what was decided and what is still up in the air, read this piece from the lawyers at Ballard Spahr.
DNS Monitoring Will Become Harder
With the advent of encrypting DNS traffic, organizations need to put together a DNS plan, especially if you have been using DNS monitoring for traffic shaping. The National Cyber Security Center in The Hague, Netherlands put out a great fact sheet on the issues and what you need to do. If you are responsible for IT operations, you should read this and see how it will impact you. Here is the fact sheet.
New York Shield Law Will Soon Go Into Effect
The SHIELD Act (NY SB 5575B) does several things and goes into effect in two phases. The first phase, expanded breach notification, goes into effect on October 23, 2019. The data security requirements go into effect on March 21, 2020, but there is a lot of work to do to comply. The law broadens the definition of private information, expands the definition of a breach, expands the territorial scope and imposes data security requirements.
The data security requirements are very specific and similar to what NY financial institutions already have to do. A copy of the marked up bill with changes can be found here.
CISA Releases 4 New Informed Insights Documents
The Cybersecurity and Infrastructure Security Agency (CISA) has released four new CISA Insights products informed by U.S. intelligence and real-world events. Each of the following products provides a description of the threat, lessons learned, recommendations, and additional relevant resources including:
DoD Releases Public For Comment Draft of CMMC – Version 0.4
If DoD does what they say they are going to do, come next September, RFPs coming out will require that contractors, subs and suppliers will have to be certified by a third party attesting to their cybersecurity capabilities. Here is the current CMMC Spec and here is an overview of the program.
Dealing with the Ryuk Ransomware – Decrypting It
The Colorado US Secret Service Electronic Crimes Task Force distributed a document produced by Coveware describing the challenges of dealing with the Ryuk ransomware, but in general, it applies to the complexities of paying any ransom – you don’t really know what the outcome is. Check out Coveware’s document here. The PDF at the link to the left is copied from their web site, linked above with minor edits for formatting; the content is Coveware’s, which they have generously shared with the ECTF community.
Center For Naval Analyses Reports on Bitcoin
The Center has produced two educational reports on cryptocurrency. The first is a non-technical primer for senior executives on cryptocurrency (found here) and second is a report on the implications on national defense of the use of those cryptocurrency (found here). Given the writers, the reports have a national security leaning, but still they are useful for anyone who is trying to understand the subject.
CCPA Increases Risk of Litigation
The California Consumer Privacy Act grants consumers a private right to sue in case of a data breach. While consumers can’t sue in Federal court without showing damages, the CCPA allows for suits in state court without showing damages. Alston-Bird published a client advisory (see here) explaining the pitfalls and while I disagree a bit with a few of the details, for the most part, it is right on. One key point is what does reasonable security mean and they point out that California’s former AG already defined reasonable and it is not an insignificant bar to cross.
2018 Proofpoint User Risk Report
Proofpoint surveyed 6,000 working adults regarding their personal security practices and asked questions about user’s understanding of security risks and their practices to mitigate them. It certainly explains a lot. Read the report here. The original document can be found on the Proofpoint website.
Cisco Releases Alert for Webex Software
The Multi-State ISAC issued an advisory on August 8th, 2019 for multiple vulnerabilities in Cisco Webex Player and Webex Recorder. The vulnerabilities would allow an attacker to execute arbitrary code on any affected computer. There are no workarounds to the vulnerability but there is updated versions of the software. As is typical for Cisco, if you don’t have a current support contract you can’t download the fix easily; you must contact the Cisco TAC and beg for an update. A copy of Cisco’s alert can be found here.
Stuart Baker, formerly of DHS and NSA, interviewed Richard Clarke (the first US Federal Cybersecurity czar) and Rob Knake, authors of the new cybersecurity book The Fifth Domain. During the interview, Richard talked about cybersecurity spending. The old paradigm said 3-4% of your IT budget. Richard and Rob blow that up completely. They suggest that 3-4% is a great way to get yourself hacked. Listen to this 6 minute clip from the podcast here.
The entire Cyberlaw Podcast episode with Stuart can be found here. Stuart has an incredible level of knowledge from his decades in government service. While I sometimes disagree with his opinions, he always makes you think.
FBI Releases Alert for Scam on Retail Store Cash
If you run a retail store (and of course the target could change), the FBI Baltimore office released an alert describing a phone phishing attack that got employees to take the end of day cash, trade them for prepaid Visa cards and give the card info to the scammers. In some cases the employees were told the FBI was running an investigation and if they did not cooperate, they would be thrown in jail. The details of the scam are in the link above.
Self Decrypting Disk Drives
Researchers have discovered that many of the popular SSD disk drives from the major manufacturers did not implement hardware disk encryption correctly. Researchers were able to access the encrypted data By default, Microsoft Bitlocker uses hardware disk encryption if the drive says it supports it. The safest bet is to tell Bitlocker that it should always use software disk encryption no matter what. Read the report here. Read Microsoft’s instructions for forcing Bitlocker to use software disk encryption here.
2019 Booz Allen Cyber Threat Outlook
Booz puts out an annual state of the cyber union report. This year they suggest there are 8 tactics that bad guys will use to make our lives miserable. Read the report here.
AWS Publishes Incident Response Guide for AWS Customers
This guide presents an overview of the fundamentals of responding to security incidents within a customer’s AWS Cloud environment. It focuses on an overview of cloud security and incident response concepts, and identifies cloud capabilities, services, and mechanisms that are available to customers who are responding to security issues. Read the guide here.
DoD Creates Cybersecurity Maturity Model Certification (CMMC)
DoD is wrestling with getting their cybersecurity act together. One piece is Deliver Uncompromised. Another is the CMMC. It will take at least a year to roll out, but if they really do this, it will seriously impact the Defense Industrial Base. Here is Katie Arrington’s slide deck announcing the program.
NSA Issues BlueKeep Alert
In what has to be an almost unheard of situation, the National Security Agency has issued an alert asking people to patch the BlueKeep Remote Desktop Vulnerability. The vulnerability only exists in older versions of Windows – Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. I have posted a copy of the alert from the Railway Alert Network (yes, there really is such a thing) on recommended actions besides installing Microsoft’s patch here.
HC3 Threat Intelligence Briefing – Credential Stuffing
Posted:02 June 2019
Published: 09 May 2019
Source: US Department of Health and Human Services
Synopsis: Credential stuffing is the process of taking known good (at one time) credentials and stuffing them into other web sites to see if they work. One estimate is that there were 28 billion attempts at credential stuffing in the second half of 2018 alone. There are ways to mitigate it and several of those were suggested by the vendor that created this Powerpoint. Non technical presentation.
Length: 23 Powerpoint Slides
HC3 Threat Intelligence Briefing – Shadow IT
Posted:02 June 2019
Published: 10 Jan 2019
Source: US Department of Health and Human Services
Synopsis: Shadow IT is that portion of IT services which your employees use but the company is not aware of, does not manage and does not control the risk. You can’t manage that which you do not know about. Non-technical presentation.
Length: 15 Powerpoint Slides
HC3 Threat Intelligence Briefing-Supply Chain Compromise
The US Health and Human Services Department has created a series of relatively non-technical presentations on a variety of subjects. In this case, the subject is supply chain risk.
Posted: 02 June 2019
Published: 11 Oct 2018
Source: US Department of Health and Human Services
Synopsis: Supply chain risk is a huge problem in the U.S. The attackers range from foreign countries such as China to competitors. Companies need to understand WHY they may come under attack and how these attacks work, so they can mitigate the threat.
Length: 10 Powerpoint slides
2019 Crowdstrike Global Threat Report
Posted: 18 May 2019
Published: 25 February 2019
Source: Steptoe & Johnson Cyberlaw Podcast – https://www.stitcher.com/podcast/sara-kryder/steptoe-cyberlaw-podcast/e/58993582
Synopsis: Dmitri Alperovitch of Crowdstrike and Stewart Baker of Steptoe (and formerly of DHS and NSA) discuss the contents of Crowdstrike’s report. Dmitri talks about which country is the fastest to breakout of the system that they hacked into (18 minutes-you have to listen to find out who) and his 1/10/60 rule (1 minute to detect an attack, 10 minutes to investigate the attack and 60 minutes to remediate the attack, with your actual statistics reported to the Board periodically).
This is the second half of a 60 minute podcast. The full podcast is available at the link above (Source).
I recommend playing this at your next executive management meeting. It should be an attention getter.
Length: 31 minutes
How Chinese Companies Facilitate Technology Transfer from the United States
Posted: 13 May 2019
Published: 6 May 2019
Source: US-China Economic and Security Review Commission
Chinese companies—in many cases with the backing of the Chinese government—use a variety of methods to acquire valuable technology, intellectual property (IP), and know how from U.S. firms. Some of these tactics are legal, while others involve coercive or covert means. Although Chinese companies are not the only foreign firms seeking to acquire U.S. technology, the Chinese case is unique because the Chinese Communist Party (CCP) has prioritized technology transfer as a matter of policy and provides direct and indirect support to companies engaging in these anti-competitive activities. Chinese acquisition attempts frequently target advanced technologies such as artificial intelligence (AI), biotechnology, and virtual reality, which are still in the early stages of development but could provide dual military and civilian capabilities in the future.
Length: 14 pages
A Guide To Cyber Attribution – Office of the Director of National Intelligence
Posted: 12 May 2019
Published: 14 Sep 2018
Source: Office of the Director of National Intelligence (ODNI)
Establishing attribution for cyber operations is difficult but not impossible. No simple technical process or automated solution for determining responsibility for cyber operations exists. The painstaking work in many cases requires weeks or months of analyzing intelligence and forensics to assess culpability. In some instances, the IC can establish cyber attribution within hours of an incident but the accuracy and confidence of the attribution will vary depending on available data.
To help with this process, the IC has identified several key indicators to evaluate and determine responsibility for an attack. We also have identified best practices for assessing cyber attribution and presenting our related assessments. A common approach to attribution can help to standardize communications with policymakers on cyber attribution and facilitate timely sharing of data and analytic collaboration.
Length: 5 pages
Common Sense Guide to Mitigating Insider Threats, Sixth Edition
Posted: 11 May 2019
Published: December 2018
Source: Carnegie Mellon University, Software Engineering Institute (unlimited distribution, (C) Carnegie Mellon but funded by the Department of Defense)
This sixth edition of the Common Sense Guide to Mitigating Insider Threats provides the CERT National Insider Threat Center’s most current recommendations from the CERT(R) Division, part of Carnegie Mellon University’s Software Engineering Institute. These recommendations are based on our continued research and analysis of an expanded corpus of over 1,500 cases of insider threat. The problem of insider threat impacts organizations across all industries. Though the attack methods vary depending on the industry, the primary types of attacks we have identified—theft of intellectual property, sabotage, fraud, espionage, and unintentional incidents—continue to hold true. This edition of the Common Sense Guide also considers workplace violence incidents as these types of threats have been fully incorporated into insider threat programs across the U.S. government, Department of Defense, and most of industry.
Length: 168 pages