At a glance.
- Update: US Government's anti-ransomware efforts.
- Dragos on TSA's pipeline security guidance.
- Comment on China's disclosure rules.
Updates on the US Government’s anti-ransomware efforts.
The Cybersecurity and Infrastructure Security Agency (CISA) yesterday unveiled a new “Stop Ransomware” website, replete with tips, tools, FAQs, news, alerts, information, reporting mechanisms, and resources, including a Ransomware Readiness Assessment. The interagency “one-stop shop” advises organizations to stay on top of patching and vulnerability scans, and to keep encrypted offline backups.
The State Department’s $10 million reward program for leads about foreign-directed critical infrastructure attacks will shield tipsters’ identities using a dark web platform and cryptocurrency payments, the AP reports.
The Department of Treasury is collaborating with financial and technology firms to track ransomware takings and crack down on crypto money-laundering shenanigans. In addition to a public-private info-sharing partnership, CyberScoop says Treasury is conducting outreach on cybersecurity insurance reform and international cryptocurrency standards. Bolstered authorities and regulations are not off the table if visibility into the threat remains a problem.
Purandar Das, Co-founder and the chief security evangelist from Sotero, sees the offer as a welcome development, but thinks it may be of limited effect against privateers and state-directed threat actors:
“It is always a positive step to offer monetary rewards. It is not clear as how the awards are distributed and what the various thresholds are. It is probably too early to tell whether this would really make an impact on hackers that are under the control of a foreign state. State sponsored hackers are probably not willing turn on each other for fear of angering their sponsors. It remains to be seen how the monetary enticement will work for putting a dent in state sponsored activity.”
Anurag Gurtu, CPO of StrikeReady commented on the value the Government's steps against ransomware might have:
"Attacks from ransomware extend beyond the borders and affect entities around the globe. It is an extremely complex and difficult problem for a country leader to face, but they are taking the necessary steps. I’m glad we have a task force initiative to deal with this threat, as we can’t do it alone. Even with government assistance, these problems can't be solved overnight, but this is a great first step. Through data sharing, not only governments' critical infrastructure but also private companies will be more secure than they would otherwise be."
Industrial cybersecurity firm adds its advice to TSA’s amended pipeline guidance.
Dragos unpacks the Transportation Security Administration’s (TSA) recently revised Security Guidelines and Security Directive for oil and natural gas pipelines. As we’ve seen, the changes include novel risk assessment, asset management, personnel, and reporting requirements. Dragos reminds readers that “[c]ybersecurity is a journey, not a destination,” and recommends the firm’s whitepaper and blog posts as additional resources. The following questions can also guide pipeline owners and operators on their security voyage:
- “How mature are we, and how mature do we want to be?” The Government’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model can help here.
- “What threats do we face, and what real-world events have taken place?” Dragos’ Oil and Gas Threat Perspective Summary has some ideas.
- “Can we respond to a really bad day?” Is your incident response plan tabletop exercise-tested?
- “Do we have Asset Visibility in our OT environment?” Automated network monitoring should accompany routine inventory maintenance.
Take courage, owners and operators: Dragos recalls that “Rome was not built in a day.”
Possible consequences of China's new vulnerability disclosure regulations.
Dr. Chenxi Wang, General Partner at Rain Capital offered perspective on China's new regulation on vulnerability disclosure:
“China's new vulnerability disclosure regulations spell out stricter requirements for Internet companies, service providers, and security researchers. Internet product/service providers are now required to establish (and register with the CAC) an official vulnerability reporting procedure/platform. The regulation also mandates swift actions to validate and remediate reported vulnerabilities. These are all good measures to take to strengthen the country's cybersecurity postures.
“However, the new requirements on how security researchers should disclose vulnerabilities are a bit heavy-handed. For instance, #9 in the new regulation prohibits security researchers (those who discover security vulnerabilities) from sharing non-public vulnerability information with overseas organizations or individuals. The one exception is with the product owners.
“This particular clause is controversial, to say the least. It will limit Chinese security researchers' abilities to collaborate with their international peers. Even sharing research findings in a non-public vulnerability in a conference such as Blackhat or Defcon will be considered a violation of the law. It may potentially stifle security research in China and isolate Chinese security professionals from the International community.”