Forescout Cyber Weekly Roundup
June 14, 2019
The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Smile, you’re on camera! In last week’s roundup we covered the FBI’s database of 640 million photos that can be used for facial recognition searches. Continuing with that theme, this week U.S. Customs and Border Patrol (CBP) confirmed a data breach has exposed the photos of travelers and vehicles travelling in and out of the United States.
- DHS Cyber Incident Response Teams—not just for PubSec: The DHS Cyber Incident Response Teams Act passed the House this week, and its companion measure in the Senate is awaiting a floor vote. If passed, the legislation would mark a significant step forward in fostering collaboration between the public and private sectors—ultimately, for the security of our nation as a whole.
- JRSS Operators Undertrained: A recent report from the Inspector General found that not only was the Joint Regional Security Stack (JRSS) program over budget, but its operators were also undertrained, resulting in deployments that didn’t achieve ‘expected outcomes’ or configurations that—potentially—might lead to system exploits.
- Should DoD mirror HITRUST? A lack of uniform security implementation, inconsistent implementation of adequate security among defense suppliers and reliance on self-attestation of adherence to government cybersecurity standards are three of the primary reasons cyber risks persists amongst the Defense Industrial Base (DIB). This article suggests third-party network assessments and certifications of vendor networks as a means to mitigating those risks, much like the model that the Health Information Trust (HITRUST) Alliance has created and leveraged since 2007.
- Cyber top of mind for retail industry when it comes to ‘shrink’: The annual National Retail Security Survey released by the National Retail Federation (NRF) and the University of Florida reported that theft, fraud and losses from other retail ‘shrink’ rose almost $4 billion from 2017, totaling $50.6 billion in 2018. It’s not just about robberies, employee theft and shoplifting anymore—technology presents another method of theft, and another challenge for loss prevention and cybersecurity teams.
- It’s quiet—too quiet: It’s been two years since the last report on FIN8 activities, but the elusive hackers have been spotted yet again. Historically, the group has targeted point of sale (POS) systems, and now, a new report states that FIN8 is targeting companies in the hospitality industry.
- Can you trust your MRI results? We recently explained how exotic attacks are blurring the boundary between MRI/CT images, malware and life-threatening cancer research and diagnosis on account of a proof of concept (POC) Digital Imaging and Communications in Medicine (DICOM) exploit code. This week—six weeks later—DHS’s National Cybersecurity and Communications Integration Center (NCCIC) has notified some of the affected vendors who may utilize the DICOM Standard about the report to confirm the vulnerability and to identify mitigations and the DHS ICS-CERT has issued a technical alert on the issue. In a fragmented world of dozens of CERTs, thousands of vendors, and extensive challenges facing Information sharing and analysis centers, the six-week period is normal.
- Top healthcare cyber threats: A new survey has found that medical devices and third-party vendor risk are among the biggest threats facing the healthcare industry. These findings are aligned to a healthcare survey commissioned by Forescout, which found that 34% of organizations’ medical virtual local area networks support more than 100 distinct device vendors—and in many cases, the hospitals rely on those same vendors to patch and maintain the security posture of those connected devices. We also found a wide variety of connected medical devices, but a general lack of network segmentation—a security best practice—to separate those devices. Read the full report Putting Healthcare Security under the Microscope for details.
- Bank fraud on an industrial scale: This short interview explains that recent trends in Automated Clearing House (ACH) attacks are no longer only localized—they’re highly coordinated and might exceed 10 times the volume that banks have seen in the past, making it a much bigger problem. It’s recommended that financial institutions communicate security measures, develop and practice contingency plans, and leverage unified input from risk hubs for a single risk score.
- Banks don’t have it easy: Banks must manage high volumes of data and financial transactions over a myriad of devices every day in order to meet consumer expectations—and, they must also maintain customer privacy and security. This article delves into that challenge and notes the speed of technological innovation as a major contributor to financial breach activity.
- Much like IT and OT, it’s time for public-private sector convergence: The federal government is providing security incentives, like the Secure by Design System through the SAFETY Act, to help ensure that the private sector, where much of this infrastructure lies, is creating resiliency. Bilateral information sharing, as always, remains critical to a successful partnership.
- It’s a people problem: The 2019 State of OT/ICS cyber security by the SANS Institute found that 46% of respondents said that increasing visibility into control system cyber assets and configurations is a 2019 priority. And, 45% reported they are now detecting compromise within 2-7 days of the incident, with 53% of those saying they move from detection to containment within 6 to 24 hours. Those are some refreshingly positive findings; however, the study also found that people are considered to be the greatest threat to ICS security, with 62% of respondents ranking people (internal and external) above technology (22%) and processes and procedures (14%).
- Jury duty blocked and homes lost: Since May 21, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. Attorneys are being forced to manually file paperwork and the courts are granting jury duty excusals on account of the outage. The damage is extensive—to the point that with respect to housing law, foreclosure postponement filings are in danger of being lost, which could cause someone to lose their house unnecessarily.
- Call for reservists–maybe: There’s been a significant volume of activity at both the state and federal levels with respect to new cyber initiatives and teams. In May, the National Commission on Military, National and Public Service disclosed that it was evaluating the Selective Service System (SSS) with an eye toward modernizing the draft, including the possibility of conscripting cybersecurity professionals. Last week, we noted that New York state had created a Cyber Division to protect the state’s financial services industry from threats, making it the first state in the U.S. to do so. Now this week, Ohio is considering Bill 52, which would require the governor to organize and maintain a state civilian cybersecurity reserve force.
- How to stop out of control IoT devices? Wrap them in red tape: Regulation may be our best bet against future denial-of-service cyberattacks by IoT botnets. Recent regulatory moves appear in California Senate Bill 327, which would require manufacturers to provide “reasonable security feature or features” in their devices starting January 1, 2020. For example, the title calls out the following as appropriate: “The preprogrammed password is unique to each device manufactured.” This directly addresses #1 of the OWASP Internet of Things Top 10 Vulnerabilities: Weak, Guessable, or Hardcoded Passwords.
- New RAMBleed exploit steals secret data from memory: A new hardware attack extends Rowhammer impact to the error-correcting code memory (ECC memory) commonly used in the DRAM memory common to server computers. Previously, Rowhammer exploits only demonstrated impact against system integrity. “RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well.”
- Critical vulnerabilities in NTLM allow remote code execution and cloud authentication compromise: Among Microsoft’s 88 Patch Tuesday fixes were three issues in the NTLM authentication protocol. Two of these vulnerabilities, discovered by Preempt researchers, were used “to bypass all the significant defense mechanisms” Microsoft has developed over the years to prevent such replay attacks. Beyond patching, recommended mitigations include configuration and enforcement of SMB and LDAP/S signing, insecure protocol blocking, and Microsoft application hardening precautions.
- AMD secure processor firmware is now explorable thanks to a new forensics tool: “A security researcher named Cwerling has released a new tool, called PSPTool, that researchers can use to analyze the firmware used by AMD Secure Platform Processor (PSP).” Perhaps this tool—and similar efforts—will result in discovery of new kinds of processor vulnerabilities, as most research thus far has focused on Intel processors.
Operational Technology / Industrial Control Systems
State, Local & Education