At a glance.
- US SEC declines to amend disclosure rules.
- Missouri hires security firm to assist with data breach and identity protection.
- Binding Operational Directive 22-01.
- Four spyware companies added to the US Entity List.
US SEC declines to amend liability in Consolidated Audit Trail incident disclosures.
The Securities and Exchange Commission has decided not to accept an amendment CAT LLC proposed to provide for limiting the liability of the exchanges and self-regulating bodies that connected to the Consolidated Audit Trail (CAT). The amendment proposed that such organizations, Pensions & Investments reported, "shall not be liable for the loss or corruption of any data submitted by a CAT Reporter or CAT Reporting Agent to the CAT System." The SEC said that it couldn't find that the amendment was "necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act."
Missouri hires security firm after discovery of vulnerability in state websites.
In a move at least temporally related to the exposure of teachers' personal information on a state educational website, the US state of Missouri has retained Identity Theft Guard Solutions (the "ID Experts") for data breach remediation and identity protection services, Missouri Lawyers Media reports. The problem with the Department of Elementary and Secondary Education’s website was discovered and responsibly disclosed by the St. Louis Post-Dispatch. Missouri Governor Parson's reaction to the paper's investigation was to call its work criminal hacking, and to call for prosecution of the Post-Dispatch and its reporter. The call for prosecution was widely received with surprise and skepticism at the time, and the Governor's office hasn't replied to an inquiry about the matter.
US Federal agencies directed to address known, exploited vulnerabilities.
CISA has issued Binding Operational Directive 22-01, which requires US Federal civilian agencies other than the CIA and ODNI to address known, exploited vulnerabilities. The directive, which is accompanied by a new catalogue of vulnerabilities, will require affected agencies to fix almost three-hundred known flaws identified between 2017 and this year. The bugs on the list are evaluated as a “significant risk to the federal enterprise.”
The Directive specifies:
- "Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive."
- "Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog."
- "Report on the status of vulnerabilities listed in the repository."
Some industry experts have offered early reaction to BND 22-01. Saryu Nayyar, CEO, of Gurucul, approves of the emphasis on patching, and notes that patching has to be done right for it to work as intended:
“Patching software and operating systems should be at the top of the IT priority list. Now CISA is stepping in, directing government agencies to apply all patches by November 17. Patching can be a complicated process, in that patches should be tested in the production environment first but should take precedence over less critical activities.
“Too many organizations think patching software is optional, and doesn’t have to be done immediately. It’s refreshing to see that CISA has listed a comprehensive list of known vulnerabilities along with relevant patches. Every organization, even those outside of the government, should obtain this list and use it to check their own patch programs.”
Bill Lawrence, CISO at SecurityGate, gives CISA high marks for focus and effectiveness:
“CISA continues to impress with its focus on defending government networks and systems by executing on the basics of cyber “blocking and tackling”. It is disappointing that it takes a Binding Operational Directive for US Federal departments and agencies to implement critical patches, but kudos to CISA for recognizing this issue and using its authorities to enforce action. There was quite a bit of controversy back in 2017 with a similar directive for Kaspersky products, but this action is a no-brainer. Let’s see if it migrates to quarterly in 2022 rather than annually.”
James Hayes, Vice President of Global Affairs at Tenable, approved of the emphasis on patching as an important element of digital hygiene:
“The vast majority of cyberattacks are the result of poor cyber hygiene. The Binding Operational Directive (BOD) announced by CISA and the Joint Cybersecurity Defense Collaborative smartly focuses efforts on getting the basics right to better protect federal systems from cybercrime. This effort establishes inventories of commonly exploitable vulnerabilities and requires agencies to remediate them within a timely manner. Driving improved collective defense efforts between government and industry will strengthen our national cybersecurity posture.”
And YouAttest CEO Garret Grajek thinks the Directive is a service to the security community as a whole:
“CISA's Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, is a great service to the security community. The fact that the broad ranging document includes product from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM and others shows how far reaching the problem is. And also how addressing just the individual components, though necessary, is a losing game. The fact that the vulnerabilities exist in practically all the resources infers to security personnel that an overall methodology must be in place to mitigate an attack that could come from anywhere.
“The commonly accepted new methodology is Zero Trust - where each "leg" in the system has to confirm the identity of the requesting party. In a zero trust system identities and informational requests need to be constantly validated in each step of the process. Identity attestation to ensure the principle of least privilege PR.AC-6 is also imperative in a zero-trust system.”
US Commerce Department sanctions four vendors of intercept tools.
The US Department of Commerce has sanctioned four companies for providing foreign governments spyware. NSO Group and Candiru (both based in Israel) have been added to the Entity List, as have Positive Technologies (a Russian firm), and the Computer Security Initiative Consultancy PTE (headquartered in Singapore).
Of the two Israeli firms, Commerce said they “were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”
Positive Technologies and the Computer Security Initiative Consultancy were placed on the Entity List after, Commerce said, “a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”
The sanctions, Commerce explains, represent a move in support of human rights. “This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities,” the Department’s announcement said.