At a glance.
- Cybersecurity Collaboration Center connects the private and public sectors.
- Bipartisan US legislation would address cybersecurity for healthcare.
- FBI warns election officials of credential phishing attempts.
Cybersecurity Collaboration Center connects private and public sectors.
At the recent CyberSatGov satellite security conference, NSA Cybersecurity Directorate deputy director David Luber emphasized the need for collaboration between the government and industry in order to better protect the nation’s satellite systems against malicious intrusion. Luber drew attention to his agency’s Cybersecurity Collaboration Center, a hub focused on facilitating a partnership between public and private entities. Via Satellite explains that the center is an unclassified site where the National Security Agency can communicate with defense industry affiliates that support the nation’s security systems and share intel regarding possible threats and vulnerabilities. “It’s about that continuous dialogue with corporate private sector partners, and ensuring that we leverage insights and share them across so that we can amplify not only the guidance that we write in the documents, but also have this opportunity to work together as a cybersecurity community,” Luber stated. One area of focus will be the development of and implementation of quantum resistant cryptography, as well as working with the National Institute of Standards and Technology to ensure access to commercial algorithms.
Bipartisan bill focuses on securing the healthcare sector.
Last week, US senators Jacky Rosen and Bill Cassidy proposed the Healthcare Cybersecurity Act (S.3904), a new bill aimed at bolstering the cybersecurity of the nation’s healthcare and public health (HPH) sector. As HIPAA Journal notes, the bipartisan bill comes in response to President Joe Biden’s recent warnings about potential Russian cyberaggression in retaliation for sanctions imposed on Russia for the war in Ukraine. “In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” Senator Rosen stated. Senator Cassidy added, “Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks. This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.” One of the bill’s goals is to foster collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). CISA will be charged with conducting a study on the cybersecurity risks faced by the HPH sector, then work with the HHS to implement mitigation measures.
The legislation would also call for HPH operators to undergo training to raise awareness about cybersecurity threats. John Bambenek, Principal Threat Hunter at security operations company Netenrich, said the bill is needed, but has room for improvement. "Requiring cybersecurity training for healthcare operators is a nice first step, but ultimately, someone needs to pay real money to remediate the threats," Bambenek told Infosecurity Magazine. "Unlike in almost every other vertical, the price of failure of cybersecurity in healthcare can be measured in loss of life and that means a real commitment in the healthcare sector, government and healthcare IT vendors needs to be undertaken to make sure patients are kept safe."
Tim Erlin, VP of Strategy at cybersecurity company Tripwire, approves of the intent, but thinks the bill as it stands doesn't do enough: “We should applaud any step in the right direction for cybersecurity, but this proposed bill doesn’t go far enough. Waiting more than a year for a detailed study before taking material action is simply too long. There are well understood, evidence-based, best practices that organizations can put in place today to reduce the risk of cyberattacks. The government has a limited set of tools to impact commercial sector companies, and legislators should be employing theirs to drive greater positive impact.”
FBI warns US state election officials of credential-phishing campaigns.
The FBI is warning state election officials that they're the targets of a long-running credential-phishing campaign conducted by unknown threat actors. It's a spearphishing campaign that uses a bogus invoice as the phishbait. "If successful," the Bureau warns, "this activity may provide cyber actors with sustained, undetected access to a victim’s systems. As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials. These emails shared similar attachment files, used compromised email addresses, and were sent close in time, suggesting a concerted effort to target US election officials." The emails and the invoices that carry the payload are misrepresented as originating with legitimate US businesses. The FBI expects such campaigns to increase in scope and intensity as November's mid-term elections approach.
Erich Kron, security awareness advocate at KnowBe4, commented on the particular value election officials' credentials can hold for attackers:
“Credentials are always a very valuable commodity for bad actors, and the credentials of election officials could be even more valuable than for the typical citizen. Given the sensitive topics discussed, to include unposted election results, potential security measures and strategies to dissuade voter fraud, a lot of valuable information can be found within the accounts of election officials. A compromised email account could also be used to spread malware to other people in their contact list, using the authentic account to foster trust, or can often be used to reset passwords on accounts that may not be using a shared password as well.
"Cybercriminals also know that it is human nature to reuse passwords for many different accounts, meaning that tricking them into giving up the login information for one account is very likely to get them access to others. This could include even more sensitive information than just what is in their email account.
"The best way to avoid falling for one of these phishing emails when it arrives in their account, is to educate the potential victims on how to spot these potential attacks and to ensure they understand the dangers of password reuse and the importance of enabling Multi-Factor Authentication (MFA) on their online accounts. This information should be included in regular and frequent security awareness training, even if provided in short 5-10 minute sessions, and if possible, simulated phishing attacks used to help them practice the skills before falling for a real one.”