ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we highlight the regulatory emphasis on documentation and reporting, the requirement for and potential impact of third-party risk management and putting security on the boardroom agenda.
REGULATORY CORNER
CISA Proposed Cyber Incident Reporting Requirement covers a wider range of entities
The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is publishing a proposed rule (Proposal or NPRM) that will require broad segments of industry to meet onerous and quick reporting requirements following certain cyber incidents. At a high level, the Proposal – issued at the direction of Congress in the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) – would require a broad array of newly “covered entities” to report to CISA, within prescribed deadlines and on an ongoing basis, detailed information about covered cyber incidents and ransom payments. It also creates new data retention requirements and subpoena authorities for the government.
Notes
Cyber incidents are becoming increasingly prevalent across various facets of our digital existence. This trend necessitates the requirement for more robust controls and strategies to effectively mitigate risks. Consequently, there has been a proliferation of regulations emphasizing the importance of documentation and reporting to enhance transparency and prioritize responses.
Numerous regulatory bodies have followed suit by issuing rules, laws, and guidance focused on documentation and reporting standards. In a new proposal, the Cybersecurity and Infrastructure Security Agency (CISA) is taking a significant step forward, seemingly with the aim of establishing standardized protocols for cyber incident reporting across industries. This initiative signifies a concerted effort to streamline processes and improve the overall resilience of our digital infrastructure.
ENFORCEMENT NEWS
US States Announce $16M Settlement with Experian, T-Mobile Over Data Breaches
The settlement is related to two cybersecurity incidents. The first incident came to light in 2012, when the Secret Service alerted an Experian subsidiary that an identity thief posing as a private investigator was abusing the company’s services to obtain sensitive personal information. The incident involved more than three million queries seeking personal information. The identity thief was caught and prosecuted, but authorities were unhappy that Experian never notified impacted individuals of the breach.
Then, in 2015, Experian disclosed an incident in which a hacker had accessed a network segment storing information of 15 million T-Mobile customers — Experian stored T-Mobile customer data because the mobile carrier was using it to process customer credit applications.
Notes
This case highlights two consistent themes. Firstly, it underscores the critical importance of prioritizing documentation and reporting in cybersecurity management. Companies must be well-prepared to assess, evaluate, and accurately report cyber incidents promptly. This entails understanding the operational impact and materiality of each incident. Secondly, it emphasizes the necessity for proactive and comprehensive third-party risk management, also known as Vendor Due Diligence. Companies should thoroughly comprehend how their vendors interact with their systems and data, as well as any associated cyber risks, encompassing both technical and operational controls.
Settlement for Cybersecurity Deficiencies Resulting in Data Breaches
CYBER NEWS
Cybercriminals Spoof US Government Organizations in BEC, Phishing Attacks | SecurityWeek
Threat actor TA4903 has been identified as the perpetrator behind Business Email Compromise attacks targeting several government agencies, including the US Department of Labor, Department of Housing and Urban Development, Department of Commerce, Department of Transportation, Department of Agriculture, and the Small Business Administration (SBA). They are suspected of having employed various tactics such as spoofed websites featuring bid proposal themes, QR codes embedded in PDFs, and HTML attachments to lure victims into providing credentials or unauthorized access via phishing campaigns.
Getting Security Remediation on the Boardroom Agenda | DarkReading
In addition to implementing proactive and strong security controls and risk management, CISO’s and other security leaders are challenged with obtaining business sponsorship to ensure relevant projects are supported, funded and aligned with business objectives. To do so, they need to compel business leaders to put security on the boardroom agenda. By presenting this data in the context of business impact, decision makers can better understand where risk resides and how to manage it. To be effective, CISO’s and security leaders will need to ensure that they focus on the accuracy of their security risk and remediation data through an iterative and continuous risk assessment and remediation process.
CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability| The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified and added a critical security flaw affecting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog. This decision is informed by evidence suggesting active exploitation of the vulnerability in real-world scenarios. This vulnerability continues to show up in environments that have not applied the patch which was released in mid-2023. This vulnerability poses a significant risk as it enables attackers to remotely execute code with escalated privileges, specifically at the Site Owner level. In practical terms, this means attackers could potentially deploy malware or engage in information theft.
Tax Hackers Blitz Small Business With Phishing Emails |DarkReading
Social security numbers have become a primary target for threat actors during the tax season. While larger companies have traditionally been targeted, small businesses are increasingly vulnerable due to their size and potentially inadequate security measures. Threat actors are obtaining email lists from the Dark Web to launch phishing campaigns against small businesses. These emails typically contain links prompting recipients to provide their federal employee identification number (EIN) or tax identification number required for filing federal taxes. Small businesses must remain vigilant against phishing attacks, especially during tax season. Implementing robust cybersecurity measures and educating employees about the risks associated with sharing sensitive information online are essential steps in mitigating these threats. Additionally, staying informed about the latest tactics used by threat actors and monitoring for suspicious activity can help safeguard against such scams.
DECODE THE TERMS
Zero-Day Vulnerability – a software vulnerability that is actively exploited by attackers before a patch or fix is available from the software vendor, posing a significant risk to users and organizations until mitigations can be implemented.
Packet Sniffing – the proactive of capturing and analyzing network traffic in real-time to inspect packets for sensitive information, such as usernames, passwords, or other unencrypted data, often used by network administrators for troubleshooting or security monitoring purposes.
Rootkit – a type of malicious software designed to conceal the presence of other malicious programs or unauthorized access on a computer system, typically granting attackers privileged access and control over the compromised system.
SQL Injection – a type of cyber-attack that exploits vulnerabilities in web applications by injecting malicious SQL code into input fields, allowing attackers to manipulate databases and access sensitive information.