Forescout Cyber Roundup
January 4, 2019
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- NIST Resources are Unavailable (December 27, 2018)
- HHS Releases Best Practice Healthcare Cybersecurity Guidelines (December 31, 2018)
- Watch Out, Cyber Fraud Cases in Banks are Spiking (January 2, 2019)
- American Newspapers Hit by Cyberattack (January 2, 2019)
- Hacker Cyber-gang: Give Us Cyber-cash for Cyber-cache of 18,000 Stolen Sept 11th Insurance Docs
Summary: The latest government shutdown continues to make headlines. From empty agency office chairs and cinched budget purses to the closures of national parks, the Smithsonian and the National Zoo, the impact is widespread.
Why it matters: Despite the headlines covering the shutdown, there hasn’t been much said about the fact that The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) is currently unavailable due to the lapse in government funding, while other government sites such as justice.gov, state.gov and doi.gov—although not actively updated—are still online. The screenshot below shows the unavailable site; however, a post-shutdown query from archive.org does not indicate the site was offline.
And, interestingly, dhs.gov is online and being actively updated, despite the disclaimer in the banner; and, some social media platforms are still being managed, with post-December 21 tweets from DHS, DoS, DoD and other federal agencies. There are a number of theories behind the seemingly unnecessary void on nist.gov, but many point to the fact that NIST is among the heaviest hit by the shutdown with roughly 85% of its staff furloughed. Regardless of the reasoning or rationale, the unavailability is a massive point of frustration for security researchers and cybersecurity analysts. While many may have pulled an offline version of the guidance prior to the shutdown, or have a paper copy of some of the standards, the lack of digital access to more than 9,000 CSRC PDFs is more than just an inconvenience—the people hurt most by the site unavailability are the Cyber Defenders who rely on the guidance as cyber professionals and practitioners. It’s critical that we arm and enable those Defenders with every asset possible to defend against our opportunistic and ill-intentioned adversaries.
Summary: Despite the shutdown, the Department of Health and Human Services (HHS) released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.
Why it matters: Following the Cybersecurity Act of 2015, HHS established the Health Care Industry Cybersecurity Task Force in March 2016. The Task Force issued a report to Congress with findings demonstrating the urgency and complexity of cyber risks facing the healthcare industry. One year following the report, the Task Force provided a progress update on risk mitigation. This most recent release of guidance from HHS also stems from the Cybersecurity Act of 2015. The National Cybersecurity Center of Excellence (NCCOE) has released healthcare-specific guidance in recent years, such as the guidance on securing electronic health records on mobile devices, and—not surprisingly—the new guidance from HHS highlights connected medical devices and phishing attacks as two of the five major threats identified. It’s important to note that, while this new guidance is a step in the right direction, it’s not mandated. In Europe, medical device regulations came into force in 2017 following the more general 2016 directive on security of network and information systems. Regulation has been introduced in the U.S. via the Medical Device Cybersecurity Act of 2017 and the Internet of Medical Things Resilience Partnership Act of 2017, but U.S. regulators are still trying to find the balance between the convergence of medical and technological innovation, and the inseparable risks. For any healthcare regulation to truly mitigate risks, it must evolve at a pace consistent with advancements in the field. The FDA has made significant efforts to aid healthcare delivery organizations (HDOs) by providing both pre-market and post-market guidance for manufacturers and most recently published the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to help better prepare HDOs for medical device-related cyber incidents. Guidance and regulations aren’t the only things that will drive better security practices to protect patient data in 2019. Attacks will continue, and it’s likely that lawsuits, such as the recent class action suit against LifeBridge Health Inc., will also compel healthcare providers to make aggressive investments in cybersecurity.
Summary: Financial cyber fraud is on the rise, and so is liability guidance and insurance.
Why it matters: In April 2018, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement on cyber insurance and its potential role in risk management programs. Neither banks nor individuals are required to obtain cyber coverage, but insurance might become an important part of a bank’s risk management strategy. However, cyber insurance is a little different from car insurance, especially when it comes to fault and liability. While there might be witnesses and even video footage to assist in determining fault in an automobile accident, the same isn’t necessarily true when it comes to data breaches. Did an end user fall victim to his or her own curiosity and click on a malicious link? Did a financial institution fail to patch their systems? Did a single employee compromise an entire network and consequently, the personal data of millions of customers? The possible scenarios are as endless as the wild examples in, ironically, insurance commercials. In its 2017-18 Annual Report, the Reserve Bank of India (RBI) detailed a framework designed to limit the liability of customers in unauthorized electronic banking transactions. Beyond the limitless scenarios and questions, some may wonder if cyber insurance enforcement will reach the same point as health insurance mandates in the U.S.—those without insurance will face tax penalties until they purchase insurance. Although not required now, Gartner analysts and fraud experts have previously suggested that it’s only a matter of time before the FFIEC will require banks to have cyber insurance.
Summary: A recent malware attack targeting the Tribune Publishing network disrupted the printing and distribution of major U.S. newspapers.
Why it matters: In the U.S., weekday print circulation has declined for 24 consecutive years–and this recent attack isn’t going to revive readership interest or confidence. For many, the morning paper has been as certain as death and taxes, but in an increasingly complex cyber world, we’re seeing yet another example of how malicious cyber actions can result in physical disruption. British Prime Minister Theresa May warned that the decline of local journalism is a danger to democracy and is fueling the rise in fake news. As we highlighted in our 2019 Cyber Predictions, the convergence of operational technology (OT) and information technology (IT) will result in the cyber-physical destruction of industrial control systems (ICS) and critical infrastructure. While newspapers aren’t technically considered part of critical infrastructure or ICS—although many would consider the media critical in communications and emergency management—and the point of entry for the malware is yet to be determined, the intent of this attack was to disable the publication’s infrastructure and servers. And, it’s not hard to imagine the ramifications of a prolonged and targeted attack on both print and digital platforms. In 2016, 20% of Americans reported getting the news from print newspapers. When you consider the U.S. population of more than 325 million, that translates to 65 million uninformed citizens. While Tribune Publishing appears to have mostly recovered from the attack, the new strain of ransomware—Ryuk—has hit several large enterprise organizations before, and now spread to additional targets, such as cloud hosting provider Dataresolution.net. Attribution, as always, is difficult, but a 2018 report from CheckPoint indicates that the malware may be linked to a team of North Korean hackers known as the Lazarus Group.
Summary: In a recent public extortion attempt, the Dark Overload has released a portion of documents related to post-September 11, 2001 litigation and real-estate development deals.
Why it matters: A group of hackers known as the Dark Overlord has claimed to have pilfered a collection of 18,000 files related to the aftermath of the 2001 terrorist attacks on the United States. Now, the group is leveraging the files to collect bitcoin and blackmail anyone identified in the documents. Although this story is only just making headlines this week, an information security incident was first reported last April. One of the reasons the attack is gaining traction—aside from the recently released preview of stolen documents—is the increased utilization of social and news media. Time will tell if the altered strategy pays off for the attackers—Twitter has already suspended the attackers’ account, and after the group shifted to Reddit, their post was removed and the subreddit was banned; yet, the number of transactions is rising. As we projected in our 2019 predictions, adversaries are going to get more aggressive and more creative in their tactics and approaches—in this case, deploying a systematic extortion campaign. What’s important to note about this story is the specific verbiage used in the statements from the victims: no evidence to support a security breach—or even confirm them after they’ve happened. This attack and others to come in 2019 are only going to become harder to anticipate and prevent and evidence will become harder to obtain. Bad actors are getting more creative and determined, and apart from total visibility—not just into your own networks, systems and devices, but your entire supply chain and ecosystem—it’s difficult to mature beyond a reactive state. Visibility can enable enterprises to understand their steady state or baseline for the network and all connected devices, so when there’s a modern, sophisticated attempt to compromise your network, even the subtlest changes in your network posture can be immediately detected.