2019 Week 40 Security news summary
A couple of big ransomware events have happened this week. 2 school systems were hit with ransomware and this continues a trend that have seen over 500 schools be hit so far this year. Depending on the reports you read this number could he over 1000! Note that in 2018 we had around 119 educational incidents with only 11 being ransomware. This makes schools second only to local government entities in number of attacks on government entities.
ZDNet has a write-up on this: https://www.zdnet.com/article/over-500-us-schools-were-hit-by-ransomware-in-2019
CBS mentioned it in their reporting on Ransomware this week: https://www.cbsnews.com/news/ransomware-attack-621-hospitals-cities-and-schools-hit-so-far-in-2019/
International Business Times talks about how the use of Cyber Insurance might be some of the reason for the uptick: https://www.ibtimes.com/ransomware-hits-hundreds-us-schools-local-governments-study-2837573
KOCO in OKC talks about it from the standopoint of Guthrie being hit: https://www.koco.com/article/guthrie-public-schools-hit-by-ransomware-attack/29215468
TechExplore also points out the trend is affecting other local government agencies: https://techxplore.com/news/2019-10-ransomware-hundreds-schools-local.html
A ransomware attack that appears to have been targeted at healthcare entities shunts down an entire healthcare system in the US and multiple locations in Australia. In the Alabama attack 3 hospitals were on divert only accepting emergency patients and suspending all nonessential operations. Last week California based Wood Ranch Medial announced that it was going out of business due to its inability to recover from a ransomware attack back in August.
Threatpost talks about all of these in their article: https://threatpost.com/ransomware-attacks-leave-u-s-hospitals-turning-away-patients/148823/
InfoSecurity had a short article: https://www.infosecurity-magazine.com/news/10-hospitals-held-to-ransom-by/
SC Magazine’s article: https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-forces-dch-health-systems-to-turn-away-patients/
NSA has created a Cybersecurity Directorate to unify their cyber intelligence and defense missions. This is part of the trend to form partnerships inside and outside of organizations to share cyber techniques and defense.
InfoSecurity has the announcement here: https://www.infosecurity-magazine.com/news/america-launches-new-cybersecurity/
There is still discussion about the Voting Village at Defcon 2019. Long and short, most all the voting machines are very poor on the cyber and physical sides of the domain. In essence, they are still (in some cases exactly) the same vulnerabilities that were there in previous years that have yet to be corrected. This should be very alarming for agencies that are using voting machines to collect and tabulate votes.
Wired has a good summary: https://www.wired.com/story/voting-village-results-hacking-decade-old-bugs/
Click2Gov was hit again and somehow I missed it last week, so I am bringing it up here. The attacks began in August and so farm at least 8 cities have been hit. It appears that the initial vector for the attack is a shell being uploaded to a Click2Gov web server. This points to a continued lack of oversite on the part of CentralSquare on their systems.
Wired has information here to include the list of hit cities: https://www.wired.com/story/hackers-hit-click2gov-bill-paying-portals/
Juniper Research says that breaches are going to increase nearly 70% over next 5 years. Cost will raise to more than $5 trillion in 2024. Like others, they say that the human firewall will continue to be the best defense.
Juniper report page: https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security?utm_campaign=pr1_thefutureofcybercrime_technology_aug19&utm_source=pr&utm_medium=roxhill
Security Magazine has a summary here: https://www.securitymagazine.com/articles/91019-cybersecurity-breaches-to-increase-nearly-70-over-the-next-5-years
If you at all pay attention to Cyber Security best practices, the #1 thing that is said over and over is kill RDP. It is the single best thing you can do to increase your security posture. Here Vectra joins the bandwagon with their report.
Vectra report portal: https://www.vectra.ai/download/2019-spotlight-report-on-rdp
Security Magazine summary: https://www.securitymagazine.com/articles/90983-percent-of-organizations-exhibit-malicious-remote-desktop-protocol-rdp-behaviors
Medical IoT devices have even more vulnerabilities according to the Cybersecurity and Infrastructure Security Agency (CISA).
SC Magazines coverage: https://www.scmagazine.com/home/security-news/vulnerabilities/multiple-zero-day-vulnerabilities-found-medical-iot-devices-cisa/
27 nations join a cybersecurity Responsible State behavior pledge.
SC Magazines article: https://www.scmagazine.com/home/security-news/27-nations-ink-cybersecurity-pledge/
Legislation:
The U.S. Senate approved the “DHS Cyber Hunt and Incident Response Teams Act” that was sidelined in the last congress. It would authorize the Department of Homeland Security to develop and fund incident response teams to help public and private organizations battle cyber threats and restore infrastructure affected by attacks.
Threatpost has an article with some quotes from industry insiders: https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/
In the InformationSecurity article, they point out that Schumer focused on the New York state attacks. https://www.infosecurity-magazine.com/news/senate-passes-ransomware-law/
Security Magazine does not add much, but here is their article: https://www.securitymagazine.com/articles/91033-senate-passes-bill-to-strengthen-dhs-public-private-cybersecurity-efforts
SC Magazines article: https://www.scmagazine.com/home/security-news/lawmakers-advance-bills-that-wiould-add-to-dhs-cyber-responsibilities/
CyWare’s take: https://cyware.com/news/americas-nsa-announces-the-launches-of-new-cybersecurity-directorate-c22652c5/
California has a ballot initiative called the California Privacy Rights and Enforcement Act that would have the strongest state level privacy regulations. The biggest impact this would have would be the limits on what advertising “bots” can track about you #youdontownyou. Of course the pushback from the big tec companies is that this will force them to directly charge for information and services that are currently add support.
CNET article on the California Privacy Rights and Enforcement Act: https://www.cnet.com/news/new-california-privacy-initiative-proposed-for-2020-ballot/
Pennsylvania is attempting to be the 2nd state to criminalize “cyber-flashing” which is, essentially, sending unsolicited “dick-pics”. Texas passed a bill (2789) back in August that made it a Class C misdemeanor to send sexually explicit material without the recipient’s consent.
InformationSecurity interviewed the bill author: https://www.infosecurity-magazine.com/news/pennsylvania-might-criminalize/
In June Texas passed a law to require virtually all government employees to have information security training by June of 2020. One of the interesting things (considering my day job) was that you could get around the requirement for outside training and certification by hiring your own security office and them to create a training program.
Since the deadline for certification is this week, Informationsecurity had an article about this: https://www.infosecurity-magazine.com/news/texas-cybersecurity-training-for/
Here is the bill: https://capitol.texas.gov/tlodocs/86R/billtext/html/HB03834F.htm
The DIR’s page on the mandate: https://dir.texas.gov/View-About-DIR/Information-Security/Pages/Content.aspx?id=154
Comments
Post a Comment