Forescout Cyber Weekly Roundup
June 7, 2019
The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- “Elections are becoming a question of data science.” With volumes of personal data available at the fingertips of bad actors and others seeking to influence elections, there’s been a growing sense of distrust towards elections in general. Voters are supposed to be able to make informed decisions, but the increasing reach of election influence has in many regards dismantled the voting system and forced voters to stop trusting elections.
- Slap on some privacy guardrails, please: Reading this story, we can’t help but think it’s more than a little ironic that The Police was the band behind the 1983 hit ‘Every Breath You Take’. The FBI has announced that it has access to 640 million photos that can be used for facial recognition searches. While the FBI claims those photos are only used to locate potential criminals in ongoing investigations, in theory, there are at least one or two photos of every U.S. citizen.
- Defense cyber recruitment needs calibration: With the 2020 NDAA underway, the DoD is under fire after losing 4,000 members of its cyber workforce in 2018 and reportedly failing to leverage current authorities and programs to speed up cyber workforce hiring. Not to mention the 2018-2019 government shutdown—the longest in U.S. history—which cast a shadow over the federal cyber community.
- As cyber policies evolve, so too must cyber oversight frameworks: One of the biggest changes is that cyber operations no longer have to go through the president. The new draft language, as a result, is seeking descriptions of delegated authorities, countries where that authority may be used and authorized activities related to those authorities.
- When cyber strategy fails, everyone suffers: So far, the Cabinet Office has only achieved one out of 12 objectives according to a recently released Public Account Committee (PAC) report. With respect to the retail industry specifically, the PAC has requested a response from the Cabinet Office around how it plans to influence business sectors such as retail to inform customers about their cyber readiness and how they plan to measure success.
- Everyone uses tech, but very few really understand it: A 2018 investigation by Consumer Reports found that many tech devices were relatively easily to hack and manipulate, highlighting the issue that tech has reached the point that many people who use it don’t always understand the associated cybersecurity risks. Craigslist founder, Craig Newmark, is backing a new effort with a $6 million donation for a new investigative division dedicated to rating and reviewing the privacy, security, transparency and data collection practices of mobile and Internet-based products and services.
- Dr. Fullz Healthcare Fraud Package—limited supply! While this article highlights one particular case of a physician’s credentials being stolen and used on the Dark Web, it’s important to consider the wide variety of options that fraudsters have with this sort of information. From filling prescriptions for themselves, or selling to others, to submitting false insurance claims or falsifying drug test results–there’s no shortage of options.
- The wide reach of a breach: LabCorp and Quest Diagnostics have made repeated headlines since acknowledging a breach earlier this week. However, what’s interesting is that a billing company, American Medical Collection Agency (AMCA) was actually where the breach originated—and that system was compromised almost a year ago. According to the SEC filing, medical data and laboratory results were not exposed; however, given the volume of personally identifiable information (PII) that was exposed, the actors behind the attack may still try to convince the victims that they have confidential or embarrassing test results and garner payment in a public extortion attempt. We expect a broad mix of financial, medical and personal data was exposed, thanks to the ‘Superbill’ nature of healthcare invoicing in the US, which consolidates personal information to a degree unseen in other verticals.
- New York state issues cybersecurity requirements for Financial Services companies: New York recently announced the creation of a Cyber Division to protect the state’s financial services industry from threats, making it the first state in the U.S. to do so.
- It’s not like the movies: New research explains what it really takes to pull off a financial cyber heist. The reality is that the bad guys are usually on a target network for a considerable amount of time before they take action. By the time a target realizes they’ve been compromised, it’s already too late and the damage has been done.
- The IT/OT clash: The convergence of IT and OT was a topic of conversation at this week’s major cyber event in London: Infosecurity Europe. Panelists explained that because the IT and OT teams have traditionally been separate—and they’ve had different methods of communicating, different priorities and operational standards—the main way to find common ground is to focus on engagement around similarities in what the two want.
- Visibility and skills the biggest OT challenges: A lack of visibility and skills were considered two of the top challenges facing organizations managing OT, according to a new poll. Because IT/OT convergence is a fairly new phenomenon, those responsible for managing it—in many cases—are still struggling to determine the best way to do so, the proper model, roles and responsibilities as well as ownership.
- DHS lacks visibility into state and local networks: With increased interest in state and local networks from foreign attackers, DHS claims that information sharing is more important than ever—not just to states and municipalities, but for national security as well.
- Protected Voices: A new FBI initiative, Protected Voices, is designed to raise awareness of cyber influence operations targeting U.S. elections. FBI offices nationwide are working with political campaigns at local, state and federal levels to provide simple, effective measures of protection.
- Even the NSA suggests urgently patching Windows BlueKeep: As usual, device hardening guidance provides best practice constants. Practitioners are urged to disable Remote Desktop Services and block TCP port 3389 with careful attention toward perimeter firewalls exposed to the Internet. This guidance supports the Remote Services callouts within the MITRE ATT&CK model, which suggests—depending on deployment—that attacks on such services can lead to Initial Access as well as Lateral Movement opportunities for attackers.
- Major hosting company hit by platform-specific vulnerabilities: An interesting angle of cyber research by Wordfence has uncovered vulnerabilities in the hosting infrastructure used by Endurance International Group, one of the largest hosting companies in the world. Their consolidated providers include iPage, FatCow, PowWeb and NetFirms. “A pair of vulnerabilities on these platforms allowed attackers to tamper with customers’ databases directly, without actually accessing their websites.”
- A curated list of awesome threat intelligence resources: Nice collection from Dutch researcher Herman Slatman. Keep up the good commits!
- Memory corruption zero-day bug found in Windows Notepad app: Notepad—yes NOTEPAD—showed its age with a new vulnerability discovered by security researcher Tavis Ormandy of the Google Project Zero team. In lieu of fireworks and confetti, Ormandy is informally referring to the bug as Notebad.
Operational Technology / Industrial Control Systems
State, Local & Education