Archive for CISA

CISA, NFL, and Super Bowl LVIII hold Cybersecurity Tabletop Exercise 

Posted in Commentary with tags on September 22, 2023 by itnerd

This week, CISA, the NFL, Allegiant Stadium, and Super Bowl LVIII partners held a Super Bowl LVIII Cybersecurity Tabletop Exercise to explore, assess, and enhance cybersecurity response capabilities, plans, and procedures ahead of Super Bowl LVIII.
 
The 4-hour Tabletop Exercise brought together more than 100 partners from the NFL, stadium, and federal, state, and local governments in preparation efforts designed to ensure the safety of events at Allegiant Stadium. The collaborators’ aim is to discuss plans and procedures, resources, capabilities, and best practices for protecting against, responding to, and recovering from a significant cyberattack during the event.
 
“This was a safe, low-stress setting to identify any gaps in those plans and ensure we all have a shared understanding of roles and responsibilities. In short, this exercise will help ensure we’re ready for any challenges that come our way on game day,” said CISA’s Deputy Executive Assistant Director for Infrastructure Security Steve Harris.
 
During the exercise, participants discussed a hypothetical scenario that included phishing, ransomware, a data breach, and a potential insider threat – all with cascading impacts on physical systems.
 
“At the NFL, we understand how important it is to practice like you play, and this week’s exercise is the first of many simulations we will conduct prior to Super Bowl LVIII,” said NFL Senior VP and CSO Cathy Lanier.  

George McGregor, VP, Approov had this to say:

   “It is very encouraging to see this exercise was organized by the NFL and partners and CISA.  
Such a workshop should be a critical exercise before any major sporting event, to check that security and contingency plans are complete.

   “Such events have a highly dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale using stadium Wi-Fi and via mobile devices. As a key part of this exercise, mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation. “

Table top exercises like these ones are good because it makes sure that all parties are on the same page. Let’s hope that the lessons learned from this exercise aren’t ever needed.

NSA, FBI and CISA Release Cybersecurity Information Sheet On Deepfakes And Their Threats To Organizations

Posted in Commentary with tags , , on September 14, 2023 by itnerd

The NSA, FBI and CISA have released a CSI or cybersecurity information sheet called Contextualizing Deepfake Threats to Organizations. Here’s the TL:DR via this media alert:

Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

Allen Drennan, Principal & Co-Founder, Cordoniq had this to say:

“The threat of deepfakes has been an ongoing challenge, however with the introduction of unregulated AI data mining that could provide unfettered access to media, this elevates the threat to a whole new level. Consumers who have provided photos, videos, audio and recordings to third-party social networks, email host providers and even online meeting solutions may find that their likeness is easily consumed by AI training models to better recreate deepfakes that not only look and sound like their intended target but also behave like them. Since many of these organizations maintain information for protracted periods of time as part of their terms of service, consumers may find these AI models can train against their likeness retroactively. Federal regulation of privacy as it relates to consumer provided content to companies and organizations is critical in preventing the wide-spread use of deepfakes.”

This cybersecurity information sheet is very much worth reading as this is an emerging threat that all should take seriously. And with emerging threats, it’s better to get out front of them rather than be on the defensive.

All federal agencies must secure Internet-exposed devices: CISA

Posted in Commentary with tags on June 16, 2023 by itnerd

In its first binding operational directive (BOD) of the year, CISA is giving federal civilian agencies just 14 days (from discovery) to lock down Internet exposed network devices. Binding Operational Directive 23-02. The directive applies to all network devices with Internet exposed management interfaces such as routers, firewalls, proxies, and load balancers that grant users admin access to the network. 

CISA said it will be conducting scans to identify devices that fall under the BOD scope and notify agencies of their findings.

“Agencies must be prepared to remove identified networked management interfaces from exposure to the internet or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself,” they added.

Neal Dennis, Threat Intelligence Specialist, Cyware had this to say:

   “Controlling your exposure to the internet is critical to any security posture, the more devices directly accessible, the more chances for threat actors to do their thing. Adopting a Zero Trust methodology is a solid option, one that could limit both security concerns directly to the exposed device as well as accesses to connected systems should that device be compromised. A solid Zero Trust approach does not solve all security problems, but it definitely helps limit impact should a breach occur.

  “I view this as a very impactful move by CISA and shows they are taking their role seriously. All organizations, public and private, should strive to limit their publicly accessible internet footprint. Less exposure equals less targets for threat actors which equals less devices you need to monitor for initial incursions, giving you more resources to hopefully monitor critical assets.”

It’s good to see that the CISA is taking this seriously. And it would be in your interest to do the same thing if your company, or you at home have devices exposed to the Internet as threat actors will pwn anything if given the chance.

CISA Plans To Release White Paper On Software Identity

Posted in Commentary with tags on June 12, 2023 by itnerd

 The CISA planning to release a white paper on software identity this week at their “SBOM-a-Rama” as part of an effort to understand vulnerabilities.

Joe Saunders, CEO, RunSafe Security had this comment:

Identifying vulnerabilities in software begins with identifying what’s in your software. We look forward to contributing our approaches on these matters because with the collective input we can develop a way to dramatically reduce the attack surface and develop ways to dramatically change the economics of cyber attack back in favor of the defenders. This is a unifying opportunity for the entire industry.

Everything that we all do in terms of identifying vulnerabilities in software and addressing them is a good thing. The reason is that it takes away one avenue for the bad guys to pwn you or your environment.

CISA and Others Release Strategies for Protecting Smart Cities 

Posted in Commentary with tags on April 22, 2023 by itnerd

CISA and NCSC along with their equivalents in Canada, Australia and New Zealand have published Cybersecurity Best Practices for Smart Cities designed to help stakeholders build protections into new systems from the planning stage.

The document warns that due to the intrinsic value of the large data sets, not only are smart cities vulnerable to financially motivated cyber-criminals but with complex, automated supply chains, terrorists could paralyze critical services and even cause physical harm or loss of life.

While currently infrastructure services are separate, the challenge for defenders is that by integrating all systems into a single-network landscape, they will expand the digital attack surface for each participating organization, while making visibility and control more challenging for security teams.

Key recommendations are as expected and suggest that planners undertake:

  • Secure planning and design: principle of least privilege, MFA, zero trust architectures, prompt patching, device security, and protection for internet-facing services
  • Proactive supply chain risk management: covering the software supply chain, IoT and device supply chains, and managed/cloud service providers
  • Operational resilience: backing up systems and data, workforce training, and incident response and recovery

Carol Volk, EVP , BullWall(she/her)


   “This effort by the US and other nations is a commendable move towards promoting cybersecurity in the planning and design of smart city systems. It highlights the recognition of the inherent risks associated with large data sets in smart cities and the need for proactive measures to protect against cyber threats.

   “The emphasis on secure planning and design, proactive supply chain risk management, and operational resilience in the recommendations is crucial in ensuring the security of smart city systems. 

   “In particular, recognizing the risks of centralizing too much data in smart city systems is significant. Centralized data can become a single point of failure and will attract malicious actors like bees to honey. Governments must consider the balance between data centralization for operational efficiency and the need for data protection and privacy. Even the best planning will be thwarted by determined attackers, whether private or nation states. After watching ransomware attacks increasingly evade the best preventative measures, we need solid detection and containment layers as standard fare in these new network designs.”

Bryson Bort, Founder and CEO, SCYTHE had this to say:

   “I have worked smart city security in various countries since 2015. The joint country collaboration on best practices is particularly interesting in this case. The smart city of tomorrow promises a better way of life for its citizens with possibilities like re-routing traffic with sensors but must design for resilience and protective measures to assure the digital traffic doesn’t hit any potholes.”

Corey Brunkow, Dir of Eng Operations, Horizon3.ai follows up with this:

   “The CISA doc is pretty general but has links to useful information and has a section on Supply Chain Security Guidance which is critically important as the recent Toyota Supply Chain attack demonstrated.    This specific section from the UK NCSC addressing supply chain security guidance seems particularly relevant for best practices similar to what is needed.  

  1. Understand the risks
  2. Know who your suppliers are and build an understanding of what their security looks like
  3. Understand the security risk posed by your supply chain”

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Smart cities are here, and we will see more and more cities adopt these practices – both with technology innovation as well as with government services. CISA recommendations are logical, yet they are far from reality. They may seem like basic functions yet today there are no vulnerability-free environments, the speed of patching is never real-time, zero-trust is a continuous journey, not a one and done. Smart city infrastructure will be distributed across many vendors and many teams, inevitably resulting in an increased attack surface that will lead to security breaches if not handled properly.

   “It is critical for the foundation of smart cities to be connected and based on strong automation, as with the private sector, resources are limited but effective security practices must be put in place to safeguard identity data. The approach must include both proactive measures and a defense-in-depth approach assuming compromise and readiness when a security breach occurs. Success will be evaluated by how fast they are able to get back online.”

Smart cities are going to be considered critical infrastructure in the not so distant future. Thus it’s good to see that there are these guidelines are out there to make smart cities as safe as possible.

CISA to begin scanning for vulnerabilities

Posted in Commentary with tags on March 17, 2023 by itnerd

On Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this to say:

   “CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.

   “CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.

   “Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”


Dave Ratner, CEO of HYAS follows up with this:

   “We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.  

   “Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”

This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.

Zeppelin Ransomware Advisory Issued By The FBI and CISA

Posted in Commentary with tags , on August 23, 2022 by itnerd

The CISA and FBI have put out an advisory on Zeppelin ransomware that is very much reading. The advisory goes into great detail about how the ransomware works and includes some threat mitigation strategies.

Dr Darren Williams, CEO and Founder of BlackFog has this comment to share:

     “Zeppelin ransomware, a fairly well-known malware strain has been in known use since 2019, often to target a wide range of businesses and critical infrastructure organizations. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Zeppelin’s unique attack path is such that the FBI have observed the attackers executing the malware multiple times in the network, leaving a great big sting on the victim, who needs multiple unique decryption keys to combat the attack.

Attacks on hybrid working companies are nothing new, however it is crucial that employees remember they play a part in protecting themselves and the employer, too.

Attacks from vectors such as Zeppelin often start with a simple phishing email – employers must ensure they educate and remind their employees on cyber security best practices, to minimize attack risk. Standard, good cyber hygiene practice is essential here: remembering to regularly change passwords and use MFA as a basic practice. That said, if a threat actor wants to find their way in, they will! What matters is the data they were able to obtain and leave with…

Most cybercriminal gangs aim for extortion – organizations should also consider anti-data exfiltration to block the attacker and prevent data from being exfiltrated.”

I strongly suggest that you read this advisory because if the FBI and the CSI put out an advisory on this, you need to take it seriously.

CISA Adds Zyxel & Spring Cloud Gateway Vulnerabilities To Their List Of Actively Exploited Bugs

Posted in Commentary with tags on May 17, 2022 by itnerd

The CISA has added two vulnerabilities to its list of actively exploited bugs. Specifically the code injection in the Spring Cloud Gateway library and the command injection flaw in Zyxel firmware for business firewalls and VPN devices. 

Artur Kane, VP of Product for GoodAccess had this to say:

“Zero-day vulnerabilities are inevitable in SW and HW engineering. Sometimes this may be due to a flaw in the design, but often it is a goofy engineer who makes a wrong decision when under pressure to deliver on time. Attackers have loads of time to discover and access vulnerabilities. Then, such intelligence is sold on the dark web, hence it can spread rapidly in the community. Companies should look for such vendors who have a proven record of responding fast to zero-day vulnerabilities by issuing patches fast, who also have sufficient security certifications and standards. IT experts have options to mitigate the risk and impact in their hands too, by having regular vulnerability assessments and patching and updating programs in place. If the organization can’t meet such precautionary practices, they should also consider replacing their technologies with applications delivered as a SaaS, where there’s no self-hosted HW (with firmware) and/or software. Patching is done on the level of the application infrastructure and in most cases, much faster as it is in hands of the vendor. When all these processes fail, as they sometimes do, it is a good practice to implement processes that minimize breach impact (micro segmentations, zero trust access, etc.) and incident response and remedial action plans.”

I would make it part of your security process to check the CISA list of exploited bugs so that you know where to focus your efforts on so that you don’t get caught with your pants down, metaphorically speaking. Also, you should look at SaaS as this takes all the guesswork out of this.

The Five Eyes Issues Warning To MSPs And Their Customers

Posted in Commentary with tags on May 12, 2022 by itnerd

If you use a MSP or Managed Service Provider to assist you in managing your IT infrastructure, or you are a MSP, you should pay attention to this. Members of the Five Eyes (Canada, USA, UK, Australia, New Zealand) today warned that managed service providers (MSPs) and their customers are being increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies have shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. 

Aimei Wei, CTO and Founder of Stellar Cyber had this comment:

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples.” 

“Implementing the measures and recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages. MSP should consider implementing a detection and response system that:

  • Detect early signs and stop it before further progression to minimize the damage
  • Show a clear picture of how it happened to conclusively determine that the attack has been contained
  • Show how far it has gone and understand the impact to determine the customers that are impacted quickly”

Saumitra Das, CTO and Co-founder of Blue Hexagon adds this comment:

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack. Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network.”

Finally, Christopher Prewitt who is the Chief Technology Officer of MRK Technologies had this to say:

“Managed Service Providers are always under attack. They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices. As an attacker, if I can breach and impact an MSP, my impact has an exponential outcome. We continue to see this IT supply chain be targeted through Kaseya and MSP’s.”

This warning is worth reading as it has a lot of recommendations to protect against attacks. Thus I would put aside time to read and implement these recommendations.

CISA Tells Everyone To Address F5 BIG-IP Vulnerability ASAP

Posted in Commentary with tags , on May 12, 2022 by itnerd

The CISA has told federal agencies to fix an actively exploited F5 BIG-IP bug. The bug in question is CVE-2022-1388 which is described as follows:

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.

F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers and consumer brands including Microsoft, Oracle and Facebook. Thus this isn’t trivial in the slightest as it affects a lot of big companies. Which is why the CISA also said that private companies should also address this and other issues that the CISA brings to light.

I managed to get multiple comments on this. Starting with Christopher Prewitt who is the Chief Technology Officer of MRK Technologies:  

“This vulnerability is critical, should be remediated as soon as possible by turning off the iControl REST service. This vulnerability is simple to exploit by an attacker and with these systems internet connected, many organizations may be at risk of breach.”

Saumitra Das, CTO and Co-founder of Blue Hexagon had this to add:

“This continues the trend of security and access devices also proving to be portals for attackers to get into target networks. We have seen similar issues in 2021 with VPN devices, firewalls, and email gateways. Having MFA on admin logins, limiting lateral movement from and public exposure of third-party security and networking appliance is a critical requirement to protect organization. Be it a supply chain related or a new vulnerability, organizations need to minimize blast radius.”

This is something that needs to be addressed ASAP. Thus I would take the CISA’s advice and address this ASAP as it’s a safe bet that threat actors are exploiting this at present.