At a glance.
- DDoS and conflict in Southwest Asia.
- GRU may be behind US Federal agency hack.
- MENA upgrades to data privacy policies.
- CMMC update.
- Anthem reaches breach settlement with state AGs.
Flight-tracking apps' DDoS attacks linked to international conflict.
Security Week reports that distributed denial-of-service (DDoS) attacks on hobbyist flight tracking apps Plane Finder, Flightradar24, and possibly also FlightAware may have been perpetrated by hacker group Turkish Cyber Army. The attacks could be an attempt to conceal Turkey’s provision of aircraft to Azerbaijan in an ongoing but worsening territorial dispute with Armenia. The apps boast of millions of users. The interference reported is not a flight safety issue (the apps are used for the most part by journalists and aviation enthusiasts) but rather a question of influence through information suppression.
Fancy Bear sighting?
More is emerging on the cyberattack the US Cybersecurity and Infrastructure Security Agency (CISA) last week said a foreign actor mounted against an unnamed US Federal agency. Which agency was hit in the cyberespionage incident remains publicly unknown, but WIRED reports the perpetrator looks like Fancy Bear, Russia’s GRU.
MENA data privacy modernizations.
The pandemic catalyzed a review of existing data protection regulations, including a close look at the Middle East and North Africa (MENA) financial sector, according to PYMNTS.com. MENA’s earlier rules prioritized the free flow of information in order to facilitate open banking, but current circumstances bring privacy to the forefront. As more transactions move online, breaches become more frequent and expensive, and consumers call for additional protections. Egypt plans to implement a new data protection law this month. Dubai is in the process of updating its 2007 data protection law with steeper fines, and Abu Dhabi modernized its data laws this year to cover any company that collects residents’ information. Variations in regional laws continue to present challenges for international industries.
Cybersecurity Maturity Model update.
The CyberWire previously discussed concerns with the US Defense Department’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC). An interim rule meant to clarify CCMC’s schedule and provisions and “enhance the protection of unclassified information within the DoD supply chain” has not resolved all doubts, Federal News Network says. Questions surrounding the rule’s possible redundancies, failure to address the shortcomings of self-assessments, applicability to subcontractors, and cost of implementation persist. One sticking point is the condition that contractors complete evaluations of their compliance with National Institute of Standards and Technology Special Publication 800-171 criteria. The DoD projects the process should cost about $75 per contractor for the most common type of assessment. Some argue this estimation ignores long-term and managerial costs. The requirement will be phased in via new agreements over the next three years, and is expected to impact over 26 thousand small businesses. The DoD says the interim rule addresses the loss of “hundreds of billions of dollars of U.S. intellectual property” and complies with Executive Orders 12866 and 13563, which “direct agencies to assess all costs and benefits of available regulatory alternatives and…select regulatory approaches that maximize net benefits.” They are accepting comments until November 30.
Anthem breach litigation wraps up after five years.
Reuters reports that US health insurance provider Anthem will pay almost $40 million in a settlement with state attorneys general over a 2015 database breach, an event the CyberWire has followed. This concludes the final remaining investigation into the China-linked hack impacting 80 million records, according to ABC. The FBI found no indication that stolen information was used for fraud. Anthem claims not to have broken any data protection laws, but says it continues to prioritize data security.