At a glance.
- White House issues software supply chain security memorandum.
- Senate Foreign Relations Committee advances nomination of cyber ambassador.
- US indicts and sanctions Iranian cyber operators.
White House issues software supply chain security memorandum.
The White House has released new federal software security requirements following the SolarWinds attack, Federal News Network reports. The Office of Management and Budget has released the new guidance, “Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience” which grows on the cybersecurity order issued last year, and applies to third-party software usage. The memo from the office tells agencies to ensure that their third-party software usage complies with National Institute of Standards and Technology (NIST) guidance. Software vendors can also provide a “plan of action and milestones” if the NIST standards can’t be achieved.
Senate Foreign Relations Committee advances nomination of cyber ambassador.
The Senate Foreign Relations Committee has chosen to advance Biden’s cyber ambassador nominee, Nathaniel Fick, The Record by Recorded Future reports. If confirmed by the full Senate, Fick will lead the State Department’s Bureau of Cyberspace and Digital Policy. In this position, Fick would oversee growth of the expanding office, as well as “coordinating global cyber defense activities against threats like ransomware; promoting U.S. standards to cutting-edge technology, such as 5G; and giving aid to human rights activists facing digital repression in countries like Russia and China.”
US indicts and sanctions Iranian cyber operators.
The Record by Recorded Future reports that the US government has indicted, sanctioned, and put bounties on Iranian cyber operators that worked with Iran’s military to launch ransomware attacks targeting a multitude of American hospitals, governments, nonprofits, and businesses. Sanctions were issued against two businesses, Najee Technology Hooshmand Fater and Afkar System Yazd Company, and 10 Iranians, with three – Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nikaeen Ravari – being indicted for their roles in the ransomware attacks.
Edward Liebig, Global Director of Cyber-Ecosystem, Hexagon Asset Lifecycle Intelligence, generalizes--at one level of abstraction, the activities of the Iranian threat actors are another reason to increase cyber hygiene:
"The charges coming down on the Iranian hackers that exploited hundreds of computers in the US critical infrastructure space is just another stark reminder that cyber hygiene is critical to our defense against attacks. These attacks are focused on exploiting known vulnerabilities rather than targeting specific sectors, which advances asset and vulnerability management and remediation to the frontlines. Victims in the U.S. reportedly span from power companies to nonprofits, all of which must have detailed visibility into their assets in order to effectively protect them from threat actors. It's also important to note that these individuals did not carry out these attacks on behalf of the Iranian government, but did so on their own accord with their own (likely more limited) resources. Unfortunately, critical infrastructure entities often rely on dated technology that's extremely vulnerable to these types of attacks. Put simply: it's not that hard for cybercriminals to compromise critical infrastructure systems. The Biden Administration's crackdown on Iranian cybercriminal groups is working and should continue to be a focus, as should urging operators of critical infrastructure to shore up their cyber hygiene quickly and effectively."
Alon Nachmany, Field CISO at AppViewX, applauds the law enforcement action:
“The US Department of Justice’s announcement to charge three Iranian individuals who allegedly launched cyberattacks against the U.S. and global critical infrastructure is a breath of fresh air. At one point in time, it was a running joke within the security industry that the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation, is where filed reports of cybercrime went to die. However, this move by the Department of Justice not only signals to the cybersecurity industry that the government is with them, but that they are willing to go the extra mile to see an end to what has become a pressing issue in today's day and age. While the individuals are likely in Iran, the US web of extradition treaties will very much limit the places these individuals can travel to without being caught. Once charges are filed, they remain for a long time since after charges are filed, there is no statute of limitations. It is also interesting that these individuals are not believed to be working with or for the Iranian government. Especially, because it is well known that under General Qassem Soleimani, the former leader of the elite Quds Force and a commander in the Iranian military branch of the Islamic Revolutionary Guard Corps (IRGC), the country oversaw a major increase in its cyber capabilities. While there might not be a connection between these individuals and the Islamic Republic of Iran, we might see this develop in the future.”
BlueVoyant's Austin Berglas, Global Head of Professional Services, thinks the indictments bring to prominence the weaknesses of current credential management approaches:
“These indictments highlight a major gap in security common to multiple sectors and organizations. Unpatched infrastructure is equivalent to leaving your house key under your doormat when you leave for vacation. Allowing cyber criminals to exploit publicly available vulnerabilities prevents them from having to spend time and resources developing new ways to compromise your environment.
"BlueVoyant’s threat intelligence confirms that hackers can start exploiting new vulnerabilities quickly, sometimes in a matter of days. For this reason, starting late 2021, the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) now requires that regulated government agencies patch new vulnerabilities within two weeks, and sometimes sooner if there is a grave risk. Despite the risk, BlueVoyant has found that some organizations are slow to patch, many taking weeks, leaving them vulnerable.
"In addition, it is not only new vulnerabilities that are of concern. Threat vectors that have been around for many years, such as supply chain attacks, watering holes, and phishing, continue to evolve, but are still effective because of the lack of preparation of the end users and their organization.
"The number one concern for enterprises is to secure their data and credentials to ensure business continuity. The best way to have strong cybersecurity is several layers of defense, which should be systematically implemented over time. The first step is understanding what is critical in the environment and building walls of protection around, and rules for access to, this information. Multi-factor authentication (MFA) needs to be implemented across all accounts as the vast majority of account compromises will be prevented with this addition. Next, develop a baseline and establish alerting for users' login patterns in order to understand what is abnormal or anomalous. Then, organizations should employ e-mail protection and continuously educate the user base on phishing and other common cyber threats.”