The IT Nerd

EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:

The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.

The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.

The law will affect any product that is connected either directly or indirectly to another device or to a network.

The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.

Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.

Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary: 

Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.

The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface.  The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer.  The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively.  This is a step forward to making security a priority for all.

Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.

UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:

   “Despite a lot of pushback, particularly on the 24 hour breach reporting requirements,  the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024.  Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.

   “Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding. 

   “This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.   

   “This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response. 

David Ratner, CEO, HYAS Infosec follows with this:

   “The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility.  However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”

The U.S. Navy has released its first cybersecurity strategy as the service tries to modernize its efforts in the space after years of staffing and preparedness issues.

The blueprint devised by Chris Cleary, the Navy’s principal cyber advisor, and its CIO, features the following seven lines of effort:

• Improve and support the cyber workforce
• Shift from Compliance to Cyber Readiness
• Defend Enterprise IT, Data, and Networks
• Secure Defense Critical Infrastructure and Weapon Systems
• Conduct and Facilitate Cyber Operations
• Partner to Secure the Defense Industrial Base
• Foster Cooperation and Collaboration

Troy Batterberry, CEO and founder, EchoMark had this comment:

   “In order for the USA to achieve and maintain information superiority, we must adopt new forms of insider risk management. Nearly all major government agencies have experienced highly damaging leaks in part because the leaker (insider) felt they would never be caught. An entirely new approach is required to help change human behavior. Information watermarking is one such technology that can help keep private information private.”

Stephen Gates, Principal Security SME, Horizon3.ai follows with this:

   “In the context of the Department of the Navy Cyber Strategy 2023, one line of effort stands out among the others: 2.0 Shift from Compliance to Cyber Readiness. As recent cyber events have repetitively proven, a purely defensive cyber strategy is not working and must be augmented by “adversarial assessments” of your own environments.

   “These adversarial assessments are not the run-of-the-mill vulnerability scans. These assessments are cyber red team exercises whereby organizations attack themselves using the same tools, tactics, and procedures (TTPs) attackers use. The reason for this is simple. If you cannot find that hidden chink in your armor, that crack in your layered walls of defense, that blind spot you didn’t even know existed, you will never be able to adequately defend yourself against a purposeful attacker with nothing but time on their side – and disruption on their mind.

   “Today, autonomous assessment solutions that let your see your environments through the eyes of an attacker are readily available. Having these solutions in the hands of highly skilled red teams allows them to force-multiply, meaning, they can do expansive cyber readiness exercises simultaneously, while using these solutions to accelerate their assessment analysis. Furthermore, these solutions also meet the objective of prioritizing mitigations and reassessment tracking to ensure issues have been remediated and readiness is confirmed.”

At least the Navy realizes that it has issues, and is moving to address them. That’s good. But everyone will be watching to see if the Navy “walks the walk” as opposed to just “talking the talk”.

According to a joint announcement by Minister for Cyber Security Clare O’Neil and Minister for Small Business Julie Collins, the Australian government is pledging an $18.2 million investment to help SMBs improve their cybersecurity resilience and response as part of the 2023-2030 Australian Cyber Security Strategy.
 
$7.2 million will be put towards establishing a voluntary cyber health-check program for SMBs to check their cyber security maturity and gain access to educational tools and materials they need to upskill. Also, high risk SMBs will have access to “a more sophisticated, third-party assessment to provide additional security across national supply chains.”
 
The remaining $11 million will go towards the Small Business Cyber Resilience Service which will provide one-on-one assistance to help small businesses navigate their cyber challenges, including walking them through the steps to recover from a cyber-attack.  

“Uplifting the cyber security of our small businesses is integral to a cyber secure and resilient nation, and this dedicated support will make a huge difference in their preparedness and resilience,” O’Neil said in a statement.

According to the Australian Small Business and Family Enterprise Ombudsman, there are more than 2.5 million small businesses in Australia, making it 97% of all businesses.

George McGregor, VP, Approov Mobile Security:

   “This is an important initiative – small businesses are especially vulnerable to cyber-attacks and don’t have the resources to invest heavily in skills and technology to defend their business. They also depend heavily on services and APIs offered by larger companies and without adequate protections can inadvertently provide a path for attackers to target those services too. We need to see more of these initiatives by governments to make implementing best in class security practices easy for SMBs.”

Anything that helps SMBs to protect themselves from cyberattacks is a good thing. SMB’s get the fact that they need to be protected, but they might need some help to get them across the finish line so to speak.

Yesterday, New York Governor Kathy Hochul proposed a new set of cybersecurity regulations that would apply to hospitals across the state. The proposal also included $500 million in funding to help healthcare facilities upgrade their technology systems to meet the requirements of the proposed rules.
 
If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on December 6th requiring hospitals to implement infrastructure to defend against and prevent cyberattacks and develop incident response plans.
 
New York hospitals will also be required to:

• Establish a CISO role  
• Use MFA  
• Establish policies for evaluating and testing third-party security
• Run tests to ensure patient care would continue should there be an incident

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Hochul stated.
 
“These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

Emily Phelps, Director, Cyware had this to say:

   “Governor Kathy Hochul’s new cybersecurity regulations proposal for New York hospitals represents a significant step in reinforcing the resilience of healthcare facilities against cyber threats. Mandating the establishment of a Chief Information Security Officer (CISO) role and enforcing Multi-Factor Authentication (MFA) aim to fortify the defenses of healthcare systems.

   “With our interconnected world, it is true we need interconnected defenses. A crucial aspect is a focus on collective defense and software supply chain security in healthcare. Collective defense involves leveraging shared knowledge and resources to improve the overall cybersecurity posture of all involved entities. In healthcare, where organizations deal with sensitive data across modern and legacy systems, leveraging healthcare ISACs and trusted intelligence sharing help these entities become more proactive.

   “Furthermore, the emphasis on evaluating and testing third-party security is a proactive measure to secure the software supply chain. Healthcare organizations rely heavily on various software solutions and third-party services, making them vulnerable to supply chain attacks. Regular testing and policy establishment for third-party security will help mitigate these risks.”

Paul Valente, CEO & Co-Founder, VISO Trust follows with this:

   “The lack of funding for security within the healthcare sector has led to the industry becoming a primary target for cyber criminals.  Ransomware has become endemic with healthcare organizations, more frequently leaving them with no choice but to pay the ransom, rather than risk patient safety.  

   “Third-party risks pose significant challenges for hospitals due to their complex relationships with supply chain vendors and the evolving nature of cyber threats. Understaffing and outdated and complex techniques further hinder effective cyber risk management. Governor Hochul’s funding and requirements are just a starting point in safeguarding these institutions. It’s great to see New York taking the lead and it will be intriguing to see which states follow suit.”

Given that the negative outcome that can happen when cybersecurity in health care isn’t top of mind was in the news recently, this is a good move by New York State as prevention is better than pwnage.

Jointly, CISA, the Department of Homeland Security and FEMA have launched the “Shields Ready” initiative, a new campaign designed to encourage critical infrastructure (CNI) stakeholders to enhance cyber-resilience in their organizations.

Shields Ready is intended to complement the “Shields Up” campaign, which was focused on helping all organizations and individuals, Shields Ready is specifically about improving CNI processes.

The initiative urges CNI providers to:

• Understand infrastructure and dependencies
• Conduct comprehensive risk assessments
• Make actionable plans
• Measure progress and drive continuous improvement through testing

CISA director, Jen Easterly, highlight that it is vital for hospitals, schools, water facilities and other CNI entities, to have the resources they need to respond to and recover from cyber disruptions.

“By taking steps today to prepare for incidents, critical infrastructure, communities and individuals can be better prepared to recover from the impact of the threats of tomorrow, and into the future.”

Stephen Gates, Principal Security SME, Horizon3.ai had this comment:

   “In the context of the US government launching a new campaign to encourage critical national infrastructure (CNI) operators to enhance their cyber-resilience, one of the four key messages stands out as a considerable challenge: Conduct comprehensive risk assessments. This is more difficult than most people believe when organizations solely rely on humans to perform risk assessments. In fact, there are simply not enough qualified and certified risk assessment professionals available today.

   “Therefore, a paradigm shift in the mindset of CNI operators needs to happen. This shift includes augmenting their human-based risk assessments (often in the form of periodic penetration tests and regular scheduled vulnerability scans) with autonomous systems designed to discover where CNI operators are truly at risk. These systems operate autonomously, peruse network environments on their own, discover truly exploitable vulnerabilities, safely exploit what they discover, provide proof of compromise, and deliver expert guidance on how to remediate these risks – preemptively.

   “The first step to using these autonomous systems is assuming defenses have already been breached. Once that happens, these systems will help CNI operators find, fix, and verify that their exploitable vulnerabilities are drastically reduced, help measure progress, and drive continuous security improvement. This is not a one-and-done thing performed on an annual or periodic basis. Instead, it becomes part of everyday, good cyber-hygiene due care.”

Mike Barker, CCO, HYAS adds this comment:

   “The imperative nature of this initiative cannot be overstated. Investing in cyber-resilience now is an investment in safeguarding the continuity and security of our critical infrastructure in the face of evolving threats. “Shields Ready” serves as a beacon for organizations to fortify their defenses, enabling a more resilient and secure future for critical infrastructure and the communities they serve.”

Dave Ratner, CEO, HYAS follows up with this comment:

   “Improving processes and hardening systems is critical for any CNI organization but must be paired with the right solutions for resiliency in the face of continual onslaughts of threats and attacks; that’s why it makes complete sense to pair the Shields Up initiative with Shields Ready. Only through a complete security-in-layers approach will critical infrastructure really be properly prepared for and resilient against cyber intrusions.”

This is another one of those first steps that is long over do. What everyone needs to do is to keep taking steps to harden CNI so that it is a less attractive target for threat actors.

In a recent White House proclamation, November has been designated as Critical Infrastructure and Resilience Month. This annual observance is aimed at raising awareness and engaging all levels of government, infrastructure owners/operators, and the American public in understanding the crucial role played by critical infrastructure in the nation’s health and well-being. It emphasizes the importance of bolstering security and resilience in critical infrastructure.

CISA underlined the significance of the initiative, emphasizing the need for organizations to protect their systems and networks. Dr. David Mussington, CISA’s Executive Assistant Director for Infrastructure Security, offered valuable advice, which includes:

• Assess Your Risk. Organizations should identify their most critical functions and assets, define dependencies that enable the continuity of these functions, and consider the full range of threats that could undermine functional continuity.
• Make a Plan and Exercise It. Organizations should perform dedicated resilience planning, determine the maximum downtime acceptable for customers, develop recovery plans to regain functional capabilities within the maximum downtime, and test those plans under real-life conditions to ensure the ability to operate through disruption.
• Continuously Improve and Adapt. Organizations should be prepared to regularly adapt to changing conditions and threats. This starts with fostering a culture of continuous improvement, based on lessons learned from exercises and real-world incidents, and evolving cross-sector risks.

CISA provides a “Critical Infrastructure Security and Resilience Month Toolkit” that offers a broad range of resources.

Dave Ratner, CEO, HYAS has this comment:

   “I applaud the White House for realizing how important the topic of resilience is for critical infrastructure across government and private enterprise. Gone are the days where we could reliably and confidently say that we can keep all criminals and bad actors out of the network. The reality of today is that organizations must be resilient against the onslaught of constant intrusions, and there is nothing more important for the health, well-being, and safety of people than the various critical infrastructure industries.”

Emily Phelps, Director, Cyware adds this comment:

   “The White House’s designation of November 2023 as Critical Infrastructure and Resilience Month is a great initiative for national security. This dedication to raising awareness about the criticality of infrastructure resilience underscores the reality that the robustness of these systems is integral to our society. Moving to a proactive stance when implementing and adapting cybersecurity strategies is crucial to outpacing an ever-evolving adversary. CISA’s call for a culture of continuous improvement to anticipate and counteract evolving cyber threats is a great step to educate and build momentum around modernized cybersecurity strategies.”

Mike Barker, CCO, HYAS follows with this comment:

   “The designation of November as Critical Infrastructure and Resilience Month marks a pivotal step in recognizing the fundamental role critical infrastructure plays in our nation’s stability.  It’s crucial that we take advantage of this designation and elevate awareness and participation across all sectors to fortify the resilience of these systems.  Assessing risks, meticulous planning, and regular adaptation are key in ensuring preparedness against evolving threats.”

Anything that brings light to the fact everyone needs to build resiliency into everything possible is a good thing. Which is why I applaud The White House for doing this. Hopefully everyone is paying attention.

According to the ISC2 2023 Cybersecurity Workforce Study released this week, the global cybersecurity workforce gap has increased by 12.6% since 2022 reaching four million people.

Despite an 8.7% increase in the global cybersecurity workforce compared with 2022, reaching 5.5 million professionals, of professionals surveyed, 92% said they had skills gaps in their organization and 67% reported a shortage staff needed to prevent and troubleshoot security issues.

47% of respondents said they had experienced cyber-related cutbacks in the past year, including layoffs, budget cuts and hiring or promotion freezes, and, of that group, 22% were impacted by layoffs, both first- and second-hand.

Furthermore, 47% of respondents admitted they have no or minimal knowledge of AI and risks associated while AI and emerging technologies was cited as the biggest challenge facing cybersecurity professionals over the next two years (45%), followed by worker/skill shortages (43%).

Encouragingly, 52% of cyber professionals said their organizations are encouraging the use of AI internally and that advancements in AI is the third most positive impact on their ability to secure their organization, behind zero trust (34%) and automation (40%).

Dave Ratner, CEO, HYAS:

   “The combination of the cybersecurity skills gap, overall personnel shortage, and rising and increasingly sophisticated attacks is a perfect storm for bad actors and nefarious activity.  Without solutions like Protective DNS to automatically pinpoint and identify anomalous activities, organizations are increasingly at risk for exploitation, and are one of the only ways to confidently address the growing storm.”

This skills gap is a threat to us all as it gives more opportunities for threat actors do all sorts of evil things. Everyone needs to address this or we’ll be in all sorts of trouble that there will be difficult to exit from.

This week, the White house is hosting the third International Counter Ransomware Initiative (CRI) summit bringing together 48 countries, the EU and Interpol to discuss several new initiatives including a pledge from member states not to pay ransoms.

The CRI will begin using a new information sharing platform enabling member countries to easily exchange details of threat indicators so “if one country is attacked, others can quickly be defended against that.” Officials hope to establish “collective threat information to enable countries to better and more effectively defend themselves.”

Also, debuted is a new project leveraging AI to analyze blockchain as a way of identifying illicit funds used to pay ransomware demands. CRI will also share a “blacklist of wallets” through the U.S. Department of Treasury to track where illicit funds are flowing so officials can “alert their virtual assets service providers to block or freeze those transactions.”
 
Also, the CRI will offer “innovative mentorship and tactical training” programs for newer members, citing how Israel has coached Jordan on countering ransomware as one example.

Stephen Gates, Principal Security SME, Horizon3.ai had this comment:

   “Not paying criminals the ransoms they demand and following the money trail is an honorable initiative to undertake. However, non-government organizations like financial services, higher education, healthcare, manufacturing, retail, gaming, and many others have been forced to pay ransoms so they could get their operations back up and running. Their livelihoods have been at stake. The impact on commercial organizations not paying their ransoms may end up being worse than the alternative.

   “Therefore, a paradigm shift in the mindset of all organizations needs to happen. That shift includes augmenting their completely defensive security approach with an offensive approach designed to actually find where they are most vulnerable to human-operated ransom-based attacks and fixing those issues before they fall victim. This preemptive security approach, using specifically designed autonomous systems, can majorly reduce the likelihood of falling victim to a targeted attack.

   “The first step to using these autonomous systems is assuming your defenses have already been breached. Once that happens, these systems will help you find, fix, and verify that your exploitable vulnerabilities are drastically reduced. This is not a one-and-done thing performed on an annual basis. Instead, it becomes part of your everyday, good cyber-hygiene due diligence.”

Any effort to disrupt the flow of money to ransomware gangs is a good thing. So is co-ordinating with allies on that. Hopefully this effort bears some fruit and put these gangs out of business.

According to the Identity Theft Resource Center’s 2023 2023 Business Impact Report, of the 551 US small business owners and employees interviewed, 73% reported a cyber-attack last year targeting employee and customer data.  

Despite only 20-34% following cybersecurity best practices such as MFA, mandatory strong passwords or role-based access, 85% of respondents said they felt ready to respond to a cyber incident. 50% claimed to have taken steps to prevent future breaches through training (65%) and utilizing new security tools (53%).

Although the overall number of small businesses suffering a financial impact from a cyber-attack dropped three percentage points from last year to 42%, more respondents said they saw other impacts, such as customers losing trust (32%) and higher employee turnover (32%).

“The good news is that small business leaders are focused on data security and privacy protection. However, we still have a lot of work to do. We must accelerate the transition to newer protections and continue to develop new resources to assist victims based on solid research and unmistakable evidence,” ITRC president, Eva Velasquez said.

George McGregor, VP, Approov Mobile Security had this to say:

   “This is disappointing, with very poor levels of implementation of basic best practices and only half of the companies taking steps to stop breaches.

   “I also think the “good news” in the report – a reported reduced financial impact of breaches – is  probably not to be taken too seriously either. If self-reported it may not be accurate.

   “There will be more and more pressure on small businesses as new reporting requirements come into force and they will be forced to take the issue of cybersecurity more seriously.”

I deal with a number of small businesses. Some get cybersecurity and some think that they aren’t big enough to be to be a target. Or they don’t have the resources to make a serious effort in terms of protecting themselves. All of that is wrong and needs to change in a hurry before something happens that makes them rethink their stance on this.