NewsBites Volume XXV – Issue 18

Top of the News

2023-03-02

White House US National Cybersecurity Strategy Seeks to Shift Responsibility for Cybersecurity to Tech Companies

On Thursday, March 2, the White House released its National Cybersecurity Strategy, which rests on five pillars: defending critical infrastructure; disrupting and dismantling threat actors to blunt their threat to national security and public safety; shaping market forces to boost security and resilience; investing in a resilient future through “strategic investments and coordinated, collaborative action;” and forging international partnerships to achieve common goals. The strategy’s initiatives include seeking to place responsibility for cybersecurity to manufacturers rather than end-users, imposing minimum security standards for critical infrastructure operators, and directing the Office of Management and Budget (OMB) to oversee technology modernization at federal civilian agencies.

Editor's Note

Two key points in this strategy: (1) Much more talk about regulation, but the US has a very poor record of ever actually passing meaningful federal cybersecurity regulation – witness 20 years of draft national privacy laws that never see daylight; (2) We have seen in the past that the government’s best leverage is through its buying power. To me, the most important thing this strategy says is “We will use Federal purchasing power and grant-making to incentivize security.” But, to be a nattering nabob of negativism: Here’s what President Clinton’s strategy said in 1998: “The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection.” Changing government procurement rules to require higher levels of security and testing of all products and services the government procures should be easier than getting politicians to agree – we have examples like FIPS 140-1 and FedRAMP of that being true, but need many more.

John Pescatore

The much anticipated, National Cybersecurity Strategy has dropped. In many respects it’s a continuation of the 2018 Strategy. The primary differences being regulating critical infrastructure sectors; and, [potentially] shifting the liability burden from consumers to software vendors. On regulation, you can only do so much via executive order. If the strategy is to be fully implemented, the legislative branch will have to be involved. On shifting software liability, defining and measuring ‘secure by design’ is very complicated. Additionally, any liability changes will require action by Congress.

Curtis Dukes

This strategy intends to level the playing field through more specific regulatory requirements to ensure consistent implementation. So long as a risk-based approach remains, this will get us where we need to be. These regulations, and corresponding guidance from NIST and CISA, should be tools the private sector can leverage in planning their cyber strategy. The biggest challenge is going to be how solutions and deployment teams are funded. While mention is made of federal buying power, consideration has to be given to implementation, process engineering, and mortgage costs.

Lee Neely

We have to start somewhere but this strategy suggests the difficulty of this problem. We are in far worse shape, heavier reliance on technology, and more vulnerable than we were in the Clinton Administration. One might well like to see a strategy that stressed measurement. To paraphrase Thompson, "If one cannot measure it, one cannot recognize its presence or its absence," and Demming, "If you do not measure it, you cannot improve it."

William Hugh Murray

GitHub Secret Scanning is Now Available to Everyone

GitHub secret scanning is now available for all public repositories. GitHub opened the public beta for secret scanning in December. Secrets are sensitive data that are inadvertently added to repositories; they include authentication tokens, API keys, and passwords.

Booking.com Fixes OAuth Misconfiguration That Allowed Account Takeover

Salt Labs Researchers found that misconfigurations in Booking.com’s implementation of the OAuth open authorization standard could have been exploited to take over user accounts. The attack involves chaining together three security issues. Booking.com has fixed the problem.

The Rest of the Week's News

2023-03-02

Good and Bad Data Breach Responses

This article examines the good and the bad in the ways five organizations – Cash App, International Committee of the Red Cross (ICRC), LastPass, Rackspace, and Zacks Investment Research – responded to data breaches.

Editor's Note

Good reading to base a desktop exercise around to make sure your breach responses will be more like the “Do-be’s” than the “Don’t be’s.”

John Pescatore

This 8 minute read would be excellent homework before you gather to work your business continuity plan and exercise. Not only does this give you ideas about what sort of actions did or did not work, it's also food for thought when creating that tabletop exercise.

Lee Neely

A good summary of incident response [in]action by several companies that suffered a cyber breach. The key takeaways from the article: 1) be responsible, bad news doesn’t get better over time; 2) be transparent to both employees and users; and 3) provide a post mortem on the attack to include where defenses failed.

Curtis Dukes

Details of Dish Network Cybersecurity Incident Trickle Out

In a Form 8-K filing with the US Securities and Exchange Commission (SEC) satellite television provider Dish Network said that the network outage initially reported on February 23 resulted in some data being exfiltrated. As of Thursday morning, the Dish Network website indicates that it is still ”experiencing a system issue.”

Cisco Updates Fix Flaws in Web UI of IP Phones

Cisco has released updates to fix two vulnerabilities in the web-based user interface of several models of its IP phones. The first vulnerability (CVE-2023-20078) is an insufficient validation of user-supplied input issue that could be exploited to execute arbitrary commands. The second vulnerability (CVE-2023-20079) is an insufficient validation of user-supplied input issue that could be exploited to cause a denial-of-service (DoS) condition. There are no workarounds.

CISA Adds ZK Framework Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added one bug to its Known Exploited Vulnerabilities catalog. The unspecified flaw in ZK Framework’s AuUploader could allow an attacker to retrieve the content of a file located in the web context. The vulnerability was patched in May 2022, CISA notes that it is being actively exploited to target unpatched systems.

CISA Launches Free Tool to Help Map Attacker Activity to MITRE ATT&CK Framework

The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Decider web application, a tool for that “helps network defenders, analysts, and researchers quickly and accurately map adversary tactics, techniques, and procedures (TTPs) to the ATT&CK knowledge base.” Decider was created in partnership with Homeland Security Systems Engineering and Development Institute™ (HSSEDI) and the MITRE ATT&CK team.

BlackLotus Bootkit Can Bypass Secure Boot on Windows 11

According to a report from ESET researchers, the BlackLotus UEFI bootkit malware can now bypass Secure Boot on fully patched Windows 11 machines. The bootkit exploits a known vulnerability that Microsoft fixed in January 2022, although "exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list."

Recently Disclosed Health Sector Data Breaches

Recently disclosed data breaches affecting the healthcare sector include a network server breach at Evergreen Treatment Services in Washington State; a network server breach at Sentara Healthcare in Virginia; a network server breach at the Health Benefit Plan of Bridgewater-Raritan Regional School District Bridgewater-Raritan Regional School District (BRRSD) in New Jersey; and patient data exposure at Hutchinson Clinic in Kansas.