Blog

Forescout Cyber Weekly Roundup March 15, 2019

Colby Proffitt | March 15, 2019

The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.

Twitter: @proffitt_colby

    Public Sector

  1. The budget grew, but did U.S. readiness improve? It’s good to see a stronger investment in cyber this year, but the focus is largely on workforce—arguably a challenge that simply can’t be resolved in a timely manner. It will be interesting to see where the budget dollars are spent specifically; hopefully, there will be more investments in automation as a solution to the workforce shortage and the total investment will result in modernized military readiness.
    https://www.fifthdomain.com/dod/2019/03/11/white-house-ups-dod-cyber-budget-request/
  2. The great wall of Russia: Advertised by the Russian government as a means to reduce Russia’s reliance on foreign Internet servers, many civilians aren’t convinced and instead view the bill as a means to increase censorship and silence dissent.
    https://www.bbc.com/news/world-europe-47517263

  3. Defense

  4. Ready? Are you sure? What exactly constitutes readiness is constantly evolving and the U.S. military is struggling to ensure that both weapons systems and soldiers are truly ready for cyberwar.
    https://www.fifthdomain.com/dod/cybercom/2019/03/08/can-dods-cyber-teams-overcome-readiness-issues/
  5. The Navy might be hiring a CISO: After the release of a stinging 80 page assessment, the Navy has some heavy lifting to do in order to improve its cyber posture. The first logical step might be hiring a CISO from the private sector, much like the DoD hired Dana Deasy and the Cybersecurity and Infrastructure Security Agency (CISA) hired Rex Booth.
    https://federalnewsnetwork.com/navy/2019/03/review-says-inattention-to-cyber-risks-an-existential-threat-to-military/

  6. Retail

  7. Don’t fall for the cute cat videos: One of the latest forms of malware is currently being peddled on the Dark Web for only $250—a small price to pay considering the profit that this malware can bring bad actors. This malware is spread via email, advertising a game with cat photos.
    https://threatpost.com/glitchpos-malware-credit-card/142804/
  8. Your customers shouldn’t be the ones to tell you that you’ve been breached: While the attackers, the method, and the extent of the damage are still unclear, we do know that the outdoor clothing retailer apparently learned of the attack after customer complaints about credit card compromise. While the company has cyber insurance, time will tell how useful it really is.
    https://www.afr.com/business/retail/kathmandu-customer-data-may-been-stolen-during-online-breach-20190313-h1cbnt
  9. Healthcare

  10. Practice what we preach: Ironically, only a few months after publishing voluntary cybersecurity best practices last year, HHS now has to take actions to correct weaknesses in its security controls that were recently uncovered by OIG.
    https://www.healthcareinfosecurity.com/agency-releases/hitech-act-stage-2-ehr-incentive-program-meaningful-use-final-r-2723
  11. Availability shouldn’t be the deciding factor when it comes to reporting: The healthcare industry is struggling with the current HIPPA breach notification requirements, and as a result, organizations frequently come to very different conclusions regarding ransomware attacks. Many agree that proof of data exfiltration should be the determining factor in reporting, but that level of analysis is costly and time intensive.
    https://www.bankinfosecurity.com/ransomware-attack-on-vendor-affects-600000-a-12164

  12. Financial Services

  13. Can’t quite put my finger on it: The Royal Bank of Scotland is piloting a new biometric bank card that will allow customers to verify purchases with their fingerprint as opposed to a traditional pin. While this method may by more convenient for users, it shouldn’t be considered a cyber silver bullet.
    https://www.bbc.co.uk/news/uk-scotland-scotland-business-47495851
  14. Cyber finger pointing: This lawsuit is the latest in a messy recovery from a 2016 cyberattack. It’s not just the cyberattacks that financial institutions have to worry about anymore—it’s also the ways in which other criminals may leverage the attacks for further damage.
    https://www.insurancejournal.com/news/international/2019/03/13/520432.htm

  15. Operational Technology / Industrial Control Systems

  16. Passwords in plain text: Unfortunately, practical security measures were sometimes overlooked in the design of industrial-grade Ethernet switches—and while patches exist, they aren’t exactly easy to obtain.
    https://www.techrepublic.com/article/vulnerabilities-in-industrial-ethernet-switches-allow-for-credential-theft-denial-of-service-attacks/
  17. Siemens ProductCERT—another round of responsible disclosures: The industrial giant continues to set standards in managing product security. ICS-CERT typically echoes the advisories within days, amplifying the Siemens ProductCERT reach. Vulnerable devices with updates included controllers, switches, and other industrial products.
    https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
  18. State, Local & Education

  19. The dots aren’t all connected: Although not cyber-specific, this story is a reminder that—despite repeated doom and gloom headlines—there are still a lot of localities that simply aren’t connected to the Internet. But, rural broadband efforts are increasing—and with them, the number of new, uninformed users likely to click a bad link.
    https://statescoop.com/governors-are-paying-more-attention-to-technology-than-ever-before/
  20. Tax dollars at work: Atlanta was hit roughly 12 months ago by the infamous SamSam ransomware, but opted not to pay the ransom; total recovery costs are estimated at $17 million. Jackson County, on the other hand, decided to pay the $400K ransom—promptly sparking debate as to what’s more important: protecting taxpayer dollars or fighting cyber criminals.
    https://www.darkreading.com/attacks-breaches/georgias-jackson-county-pays-$400k-to-ransomware-attackers/d/d-id/1334124
  21. Sorry, false alarm: We predicted last year that there would be more cyber-kinetic attacks in 2019. Here’s one of a few that we’ve seen so far this year; thankfully, there wasn’t any major damage outside of false alarms and annoyance, but this is an example of how poor cybersecurity can lead to broken public trust, which could ultimately result in tangible cyber-kinetic damage.
    https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/
  22. Editor’s Choice

  23. Unhackable? Not so fast: This isn’t the first time researchers have proven how easy it is to hack a vehicle, but this particular bit of research focused on aftermarket security systems. It’s scary, but this is the type of vulnerability research that can result in security improvements from vendors and manufacturers.
    https://www.youtube.com/watch?v=SRPn8UTnEP4&feature=youtu.be
  24. Google March security update patches critical bluetooth RCE bug: “In all, Google reported 45 bugs in its March update with 11 ranked critical and 33 rated high. Out of those critical bugs, Google patched three critical remote code-execution (RCE) bugs. Eight additional critical vulnerabilities were reported in Qualcomm components.”
    https://threatpost.com/google-critical-bluetooth-rce/142685/