At a glance.
- Israel opens inquiry into NSO Group.
- Reactions to US critical infrastructure cybersecurity memorandum.
- Fixing responsibility for security.
- Allied advisory on known vulnerabilities.
Israeli authorities visit NSO Group’s corporate offices.
Unspecified Israeli officials, possibly from the NSO task force formed in the wake of last week’s Pegasus Project allegations, yesterday stopped by NSO Group’s corporate offices, MIT Technology Review reports. The Record suggests some uncertainty about whether the visit is best characterized as a “raid” or a “formal meeting.” NSO’s CEO expressed confidence that the visit would clear the firm of wrongdoing. Jerusalem’s Defense Ministry, which oversees NSO’s sales, last week announced that it would “take appropriate action” if export license violations were uncovered. The Record says yesterday’s visit is “not an indication that the company might have violated its export license.”
Reactions to the US National Security Memorandum on critical infrastructure.
SecurityWeek says President Biden’s critical infrastructure control system security memo aims to replace current “piecemeal” policies with a “uniform” standard. April’s electric sector trial of the Industrial Control System Cybersecurity Initiative, the National Law Review reports, resulted in more than one-hundred-fifty utilities adopting updated cybersecurity protocols.
Compulsory rules may be forthcoming; Representative Adam Schiff (Democrat, California 28th) and other Democrat members of Congress are already calling for them. The voluntary “performance goals” to be developed by the Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology, Federal News Network notes, may evolve into mandates more in line with those governing the chemical and financial sectors.
The Wall Street Journal confirms President Biden’s interest in “exploring the possibility of pursuing mandatory standards,” quoting a senior Administration official as saying, “Our current posture is woefully insufficient…We really kicked the can down the road for a long time. The Administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.” Accenture Federal Services’ Rick Driggers worries that mandates can become “compliance drills that don’t necessarily buy down risk.”
WatchGuard Technologies Chief Security Officer Corey Nachreiner yesterday emailed some thoughts on the initiative's possible impact:
"Today’s announcement by the Biden Administration of a new initiative to help protect the nation’s industrial control systems (ICS) against cyber attacks recognizes the very real need to defend against threats to critical infrastructure like our electrical grid, gas pipelines and water treatment facilities. I believe the Federal government should help to protect critical infrastructure. It’s important to note, however, that the Industrial Control System Cybersecurity Initiative is a voluntary collaborative effort in which Federal cybersecurity agencies will advise the ICS community on the technical security controls they should deploy to help thwart, monitor, detect, and alert against threats to their systems. Ultimately its success or failure will depend on two things: the actual technical details of the government’s recommendations and the fines or impacts imposed if the recommendations aren’t followed.
"So far, the administration hasn’t shared any specific recommendations, just that they will collaborate to help. The initiative will start with electricity companies before expanding to include other critical infrastructure providers. While the administration intends to have performance goals for this initiative, they haven’t defined them yet. Also, since the initiative is voluntary for now, there are no consequences for private ICS businesses that choose to ignore it. Without the details and more teeth, it’s hard to say if this program will have any impact. After all, federal government organizations have already been collaborating and sharing threat info with ICS companies that listened (ICS-CERT).
Jon Clemenson, Director, Information Security, at TokenEx, applauded the memorandum, and urges the private side of the public-private partnership to take some of the initiative:
“It's great to see measured steps in the right direction. There are several, similar initiatives also working through Congress at the moment. An incident reporting bill (ALB 21B95 K29), a bill to establish a civilian cyber reserve (S.1324 - Civilian Cyber Security Reserve Act), another that removes punitive damages levied against organizations with appropriate cyber controls in place, (essentially, a carrot to incentivize the positive action of organizations versus the stick of litigation or being made example of). All good initiatives to bring cybersecurity and data protection process and technology to the forefront of actions for all organizations, not just federal.
"Often in the cybersecurity space, the government does something first (think: NIST controls), and then efforts trickle down to private sector organizations. My challenge to organizations is: why wait, when the solution is deceptively simple and right in front of you? Concerned about breaches? Then consider tokenization in addition to encryption. Building trust with clients, showing insurance companies that your organization is taking proactive action above and beyond the basics, and enabling data flow while simultaneously protecting the data—the list of benefits goes on. When thinking about Security Posture Management of an organization, tokenization should be a part of every data organization's portfolio of tools.”
Neil Jones, Cybersecurity Evangelist at Egnyte, very much liked the memorandum's emphasis on performance goals:
“In reviewing the details of the Biden administration's new cybersecurity memorandum, the term 'cybersecurity performance goals for critical infrastructure' was music to my ears. For far too long, organizations have been able to view cybersecurity protection as a nice-to-have, rather than as a mission-critical imperative that's subject to associated performance metrics. I am also excited to see that the Industrial Control Systems (ICS) initiative will promote technological enhancements that enable organizations to view, detect and respond to threats more quickly and effectively. The only potential downside is that the ICS is a voluntary program, so we will need to monitor future participation, or the program may not make a meaningful impact. Finally, the second TSA directive for critical pipeline owners and operators should significantly improve protection from ransomware attacks such as Colonial Pipeline, and the directive's cybersecurity contingency and recovery plan will allow affected organizations to rebound more rapidly.”
Todd Moore, Vice President, Encryption Products, at Thales cautions that voluntary standards are good, but that, if they are to work, companies need to see a positive business impact from following them:
“As recent ransomware attacks have confirmed, many businesses are not adequately protected when it comes to operational technology. Today’s national security memorandum coming out of the White House is the most recent reminder that critical industry sectors need to implement necessary safeguards. Digital transformation is driving the need to modernize critical infrastructure services. New technologies such as digital payments, drone deliveries, autonomous vehicles add benefit to our daily lives but they must be designed with cybersecurity in mind from the beginning to prevent a slew of new malicious attacks and attackers.
"Frameworks and guidance certainly heighten the importance of continuous monitoring and operational resiliency, but there is a need for regulation and requirement, as well as auditing to ensure companies comply. 'Voluntary' guidance is not often followed unless companies can ultimately see the personal business impact.”
Those “running the system” bear greater responsibility for securing the system.
The National Association of [Retirement] Plan Advisors reviews the Department of Labor’s recent industry guidance on cybersecurity. While all plan administrators need to attend to data hygiene and security (e.g. employing MFA and antivirus solutions), a Labor official explained, recordkeepers and those managing more data must meet higher standards. Labor’s inclusion of cyber policies in routine audits is meant to “heighten awareness,” not to punish administrators, unless appropriate remediations were not pursued after a breach.
Joint Advisory on known vulnerabilities.
Yesterday a Joint Cybersecurity Advisory was issued by the US (CISA and the FBI), Australian (ACSC) and British (NCSC) authorities. The allied services list the top-thirty vulnerabilities and briefly outline mitigations that can be applied to avoid exploitation. Good digital hygiene can go a long way. As the report says, “ Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
Tim Erlin, VP, product management and strategy at Tripwire, sees the Advisory as affording an opportunity to assess your organization's vulnerability management program:
“Any organization that runs regular vulnerability scans knows that there are more vulnerabilities than they can keep up with. Focusing on the vulnerabilities that are most likely to be used in an attack is a good defensive strategy.
"This advisory provides a good test of your organization’s vulnerability management program. How hard is it to find these vulnerabilities in your environment? Are they already patched? Did you know about them and choose not the patch them for some reason? Vulnerability assessment is only part of the overall vulnerability management process, and an advisory like this provides a real-world test of your program’s effectiveness.”
Added, 6:25PM, 7.29,21.
We've also heard from Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, who notes that the vulnerabilities the Allied agencies point our aren't necessarily ones that would have particular importance for remote workers. They're of broader concern:
“The compiled data demonstrates several interesting trends. First, cybercriminals mostly target critical-risk vulnerabilities (e.g. RCE) that give you full access to the vulnerable system. Second, they exploit both newly disclosed vulnerabilities, while unprepared companies remain unpatched, and pretty old ones coming from 2020 or even 2019 that are still exploitable due to persistent shadow IT or poor IT asset inventory. Finally, the targeted software vendors are mostly used by large enterprises (Drupal is an exception), indicating that cybercriminals are looking for a big fish.
"Most of the vulnerabilities are not directly related to working from home (WFH) trend and are also perfectly exploitable in a cloud environment. Worse, many organizations now migrate to the cloud in a rush and without proper training of their IT teams, leaving their infrastructure vulnerable to cloud-specific attack vectors (e.g. compromising instance metadata services).
"Many of the incidents caused by the top vulnerabilities could have been prevented by maintaining proper cybersecurity hygiene, such as implementing holistic asset inventory and attack surface monitoring programs, combined with an agile patch management process. Talking about 0days, like in Microsoft Exchange, organizations can mitigate damage caused by 0day exploitation by implementing defense-in-depth and zero-trust network models.”