Cyber Risk Update 21 APR 2023

RSA Conference Next week.

Tring out a new tool for cyber risk information sharing

Don't miss out on links not included in my weekly update. Join our Discord server to have access to items that don't make the cut and be able to quickly search by topic. Join the Local Government Cyber Watch discord server with this link https://discord.gg/fGVdJZFS (Link expires in 7 days)

• Check out the #fun channel for cybersecurity memes!

Awareness

• Why is ‘Juice Jacking’ Suddenly Back in the News? https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/

Data Breaches

• Cyberattack Cost Ontario Town Around $1 Million. A cyberattack in July 2022 on St. Marys, a town in Ontario, cost around $974,000, or $1.3 million in Canadian dollars, including a ransom payment to hackers, the London Free Press reports. The town hired Deloitte to handle the payment. Hackers didn’t publish personal data stolen from the town after receiving the ransom, mayor Al Strathdee said. https://lfpress.com/news/local-news/cyberattack-cost-local-town-1-3m-including-290k-in-bitcoin-ransom

• This is another form level of extortion. A patient suing a Pennsylvania-based hospital network over a data breach has asked a judge to force the organization to pay a ransom fee to hackers in a bid to have stolen photos of naked patients taken off the internet. People sue frequently after data beaches but it's unusual for a victim to try to compel a company to pay a ransom. A cancer patient filed the lawsuit against Lehigh Valley Health Network after learning that photos of her naked during her treatment were online. Jane Doe lawsuit asks judge to compel Lehigh Valley Health Network to pay hackers more than $5 million in a bid to have stolen photos removed from the internet. https://www.wsj.com/articles/patient-seeks-to-force-hospital-network-to-pay-hackers-ransom-to-remove-naked-photos-online-46ee754

Cybersecurity Leadership

• 7 cybersecurity mindsets that undermine practitioners and how to avoid them. CISOs and other security practitioners can sometimes see things from a negative perspective, which is understandable given the nature of the job. But correcting how we see the role of cybersecurity can lead to much more positive outcomes. https://www.csoonline.com/article/3693255/7-cybersecurity-mindsets-that-undermine-practitioners-and-how-to-avoid-them.html

• Why Feedback is Key to Effective Leadership: Insights from Primal Leadership https://www.learnsecurity.org/single-post/why-feedback-is-key-to-effective-leadership-insights-from-primal-leadership

• Mastering the Art of Customer Service: A Guide to Recognizing Excellent Service https://www.learnsecurity.org/single-post/mastering-the-art-of-customer-service-a-guide-to-recognizing-excellent-service

Nation States

• The Growing Threat of Foreign Espionage and the Importance of Security Convergence https://www.learnsecurity.org/single-post/the-growing-threat-of-foreign-espionage-and-the-importance-of-security-convergence

• Cisco routers targeted by Russian state-sponsored hackers. Cyber officials in the U.K. and U.S, along with Cisco Systems Inc., warned that Fancy Bear, a longtime hacking group believed to be supported by Russia's intelligence agency, is going after vulnerable Cisco IOS routers. Malware known as Jaguar Tooth was tailored to exploit a known bug on the equipment to establish access to victims' networks, government advisories said. A patch was available for the bug in 2017 but some organizations haven't updated their systems. https://www.bleepingcomputer.com/news/security/us-uk-warn-of-govt-hackers-using-custom-malware-on-cisco-routers/

• Iran-linked hackers have crafted attacks aimed at U.S. transportation, energy firms, Microsoft says. The group, which Microsoft calls Mint Sandstorm, is supported by the Iranian government and has in the past targeted government agencies, activists and journalists, cyber researchers at the tech giant said Tuesday. Microsoft has spotted Mint Sandstorm activity against seaports, energy companies, transit systems, and a major U.S. utility and gas entity, it said in a blog post. In some cases the hacking group exploited vulnerabilities the same day they were publicized, the post said. The group also has taken advantage of unpatched instances of the Log4J open-source tool. The group sometimes gains initial entry through fine-tuned phishing email intended for specific individuals, Microsoft said. https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

• Drone alliance accuses Chinese company of mass data collection. Drones from Shenzhen, China-based Da-Jiang Innovations Science & Technology Co., known as DJI, are harvesting consumer and government data and images as they fly around Europe, according to the Drones4Sec alliance of drone tech makers. Complaints were filed in the U.K., the Netherlands and Bavaria. (SUAS News) https://www.suasnews.com/2023/04/drones4sec-files-simultaneous-complaints-with-the-dutchdata-protection-authority-and-the-bavarian-data-protectionauthority-against-dji-for-lack-of-gdpr-compliance/

AI as a Threat

• The Department of Homeland Security’s Science and Technology Directorate aims to better understand AI as it becomes integrated with the nation’s infrastructure. US Must Be More Aware of 'Adversarial Side' of AI, DHS Official Warns. https://www.nextgov.com/emerging-tech/2023/04/us-must-be-more-aware-adversarial-side-ai-dhs-official-warns/385330/

• “Independent Tests of Anti-Virus Software. AV-Comparatives evaluated the security efficacy of leading SASE solutions designed to address the needs of today's hybrid workforces. Palo Alto Networks Prisma Access, Cisco Umbrella and Zscaler Internet Access were each evaluated over a 6 month period. Read this detailed report to see how the solutions compare.” https://www.databreachtoday.com/whitepapers/independent-tests-anti-virus-software-w-11639

Critical Infrastructure

• Cyber measures for water facilities challenged: Attorneys general in Arkansas, Iowa and Missouri are suing the U.S. government to overturn cybersecurity rules for drinking-water utilities outlined by the Environmental Protection Agency in March. The AGs said the EPA bypassed state authorities to attach cyber requirements to a federal law that otherwise isn't related to cybersecurity. https://www.cnn.com/2023/04/19/politics/water-facility-cybersecurity-regulations/index.html

Tools

• Microsoft Teams Emergency Operations Center (TEOC) Facilitate accelerated deployment of collaboration, communication, and task management capabilities for emergency response operations through our open-source app template in Microsoft Teams. Use the services you have today to better respond tomorrow. The Microsoft Teams Emergency Operations Center solution template leverages the power of the Microsoft 365 platform to centralize incident response, information sharing and field communications using powerful services like Microsoft Lists, SharePoint, and more. An open-source solution supported by Microsoft, it provides core functionality out of the box or can be extended to meet specific agency requirements. https://adoption.microsoft.com/en-us/microsoft-teams/app-templates/emergency-operations-center/

• “Independent Tests of Anti-Virus Software. AV-Comparatives evaluated the security efficacy of leading SASE solutions designed to address the needs of today's hybrid workforces. Palo Alto Networks Prisma Access, Cisco Umbrella and Zscaler Internet Access were each evaluated over a 6 month period. Read this detailed report to see how the solutions compare.” https://www.databreachtoday.com/whitepapers/independent-tests-anti-virus-software-w-11639

Guidance for Third-Party & Supply Chain Risk

• VENDOR SUPPLY CHAIN RISK MANAGEMENT (SCRM) TEMPLATE “The following document is the result of a collaborative effort produced by the Cybersecurity and Infrastructure Security Agency (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, Working Group 4 (hereinafter WG4), aimed at creating a standardized template of questions as a means to communicate ICT supply chain risk posture in a consistent way among public and private organizations of all sizes. The purpose of this assessment template is to normalize a set of questions regarding an ICT Supplier/Provider implementation and application of industry standards and best practices. This will enable both vendors and customers to communicate in a way that is more consistently understood, predictable, and actionable. These questions provide enhanced visibility and transparency into entity trust and assurance practices and assist in informed decision-making about acceptable risk exposure.” https://www.cisa.gov/sites/default/files/publications/ICTSCRMTF_Vendor-SCRM-Template_508.pdf

• Risk Considerations for Managed Service Provider Customers. “To aid organizations in making informed Information Technology (IT) service decisions, the National Risk Management Center (NRMC) at the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) developed this set of risk considerations for Managed Service Provider customers. This framework compiles information from CISA and IT and Communications Sector partners to provide organizations with a resource to make risk-informed decisions as they determine the best solution for their unique needs. Specifically, the framework provides organizations with considerations to incorporate into their IT management planning and best practices as well as tools to reduce overall risk.” https://www.cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf

Elections Security

• U.S. Election Assistance Commission. Best Practices for Election Technology. The EAC published a guide prescribing effective controls for specific categories of election technology, and for all phases of the elections process. The cybersecurity of elections has never been more salient in the minds of election officials and voters. To ensure the integrity of the voting process, election officials develop procedures to monitor, detect, and recover from cyber-security incidents. There is no "one size fits all" for election security. However, election officials often use the following general best practices to enhance the overall security of election and voting system computers and electronic devices. https://www.eac.gov/sites/default/files/electionofficials/security/Best_Practices_for_Election_Technology_508.pdf

• Each election jurisdiction is responsible for procuring, maintaining, and using their own election technology. Most jurisdictions rely on some form of paper ballot for voting, but the method used by election officials to tabulate ballots ranges from a hand count of paper ballots to the use of fully electronic systems that record a vote directly on the device. For more information about election security preparedness, see: https://www.eac.gov/election-officials/election-security-preparedness

• Election Technology Security Measures by Equipment Type https://www.eac.gov/election-officials/election-technology-security

• Provides cybersecurity recommendations to political campaigns, companies, and individuals to mitigate the risk of foreign influence operations targeting US elections. Cyber-attacks against political campaigns and government infrastructure. Secret funding or influence operations to help or harm a person or cause. Disinformation campaigns on social media platforms that confuse, trick, or upset the public. https://www.fbi.gov/investigate/counterintelligence/foreign-influence/protected-voices