At a glance.
- The Known Exploited Vulnerabilities Catalog gets an update.
- CISA issues guidelines on securing land mobile radio.
- GSA formally hands over responsibility for the dot gov domain to CISA.
- The importance of attribution in deterrence and retaliation.
CISA adds new vulnerabilities to exploited bugs list.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added fifteen common vulnerabilities and exposures (CVEs) to its Known Exploited Vulnerabilities Catalog, a veritable who’s-who of bugs that are being actively exploited. HSToday explains that under Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian executive branch (FCEB) agencies must remediate the vulnerabilities on this list by the assigned due dates, and CISA recommends even non-FCEB organizations do the same. Among the new vulnerabilities are CVEs related to Microsoft Windows, VMware, and Google Chrome.
CISA issues advice on securing land mobile radio communication.
CISA also released a white paper focused on Public Safety Communications Security, MeriTalk reports. The paper explains the prominence of Communications Security (COMSEC) and how to protect a COMSEC program against intrusion, focusing on reliable land mobile radio (LMR) communications. The paper emphasizes the importance of encryption, advising that Advanced Encryption Standard (AES) is the optimal choice. “Encryption is among COMSEC’s strongest tools, and encryption using the AES algorithm is the only reliable method available to secure public safety wired and wireless communications.”
CISA takes over dot-gov domain.
In other CISA news, the General Services Administration (GSA) officially passed on management of the “dot-gov” top-level domain today to CISA. The Federal News Network explains that the agency was put in charge of most aspects of managing and securing the domain last March, and with the publication of a new GSA rule today, the domain is now completely in CISA’s hands.
The importance of attribution in cyberattack response.
A new report out of the German Institute for International and Security Affairs warns that in regards to cyberattack response, the EU is lacking in coherence. The reason? Issues with attribution. “Right now, every member state does its own attribution and political and legal assessment of cyber-incidents,” Matthias Schulze, one of the paper’s authors, told The Daily Swig. “Since capabilities vary, it is possible that member states assess the same incident quite differently and this leads to a fragmented response.” Schulze and fellow author Annegret Bendiek examined the policy responses to the WannaCry, NotPetya, Cloud Hopper, OPCW, and Bundestag cybersecurity incidents and found that the EU is too dependent on intelligence from NATO when it comes to determining attribution, which slows down the attribution process. The legal classification criteria for cyberincidents are also not clearly prioritized, leaving much to interpretation. The paper recommends that the EU should clarify these legal criteria and synthesize attribution standards.
Bob McArdle, director of forward threat research at Trend Micro, explains this might be easier said than done. “Attribution is difficult, time-consuming, prone to misleading conclusions due to lack of all data, and most of all can have high impact if done incorrectly. It is relatively trivial for a skilled group to plant false flags, such as TTP of another group, strings of text in a certain language or use of another group’s preferred tooling, with the specific goal of actually pushing the security industry to misdiagnose its source. In an era where a cyber-attack can immediately lead to major political fallout, we believe that is simply irresponsible.”