TSA Issues Proposed Cyber Mandates for Pipelines, Rail, Buses, and Airlines
Article Link: https://cyberscoop.com/tsa-pipeline-railway-aviation-rule-nopr/
- On November 7th, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NOPR) regarding the establishment of cybersecurity regulations for a subset of oil and gas pipeline, rail, and over-the-road bus owner/operators. The proposed rule also includes the option to extend the rules to other hazardous chemical pipelines, airports, and airlines.
- The primary goal of the rule is to synthesize, clarify, and codify several of the security directives that came in the wake of the 2021 Colonial Pipeline security incident.
- Other key objectives include the requirement of owner/operators to develop cyber risk management programs, define a cybersecurity assessment plan (CAP) to annually assess and audit the effectiveness of each organization’s cybersecurity operational implementation plan (COIP), and implement CISA’s secure-by-design and secure-by-default principles.
- Link to TSA’s Proposed Rule: https://www.federalregister.gov/documents/2024/11/07/2024-24704/enhancing-surface-cyber-risk-management
VEEAM Exploit Seen Used Again with a New Ransomware: “Frag”
Article Link: https://news.sophos.com/en-us/2024/11/08/veeam-exploit-seen-used-again-with-a-new-ransomware-frag/
- Recently, Sophos X-Ops reported the continued exploitation of CVE-2024-40711, a now resolved vulnerability allowing unauthenticated remote code execution within Veeam’s Backup and Replication services, by ransomware gangs.
- Previously, Akira and Fog ransomware were deployed by attackers exploiting compromised VPN appliances to leverage the Veeam vulnerability. However, recent attacks have leveraged a new ransomware strain dubbed “Frag.”
- Sophos highlighted that the threat actors behind Frag leverage similar tactics and techniques as the threat actors behind both Akira and Fog.
Fake Copyright Infringement Emails Spread Rhadamanthys
Article Link: https://www.darkreading.com/cyberattacks-data-breaches/fake-copyright-infringement-emails-rhadamanthys
- Check Point Research recently reported that threat actors have been sending fake copyright infringement emails to organizations, laced with Rhadamanthys information stealer malware.
- Potential victims receive emails from unique email addresses that are crafted to look like they are coming from the legal representatives of known organizations.
- The attackers ask recipients to remove specific media and provide a Dropbox or Discord link for more information with files that include a decoy document, legitimate executable, and DLL of the malware.
- Link to Check Point Research’s Report: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/
Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems
Article Link: https://www.darkreading.com/ics-ot-security/attackers-breach-network-provider-ot-ics-network
- SANS recently published their “2024 State of ICS.OT Cybersecurity” report which surveyed 530 IT and security professionals across multiple critical infrastructure sectors.
- In addition to several other key statistics, SANS reported that 19% (100 respondents) of respondents reported one or more major security incidents over the past year. Of the 19%, 12% reported being the targets of ransomware attacks. Of the 12% who reported suffering a ransomware attack, 38% said only their IT networks were impacted, 28.6% stated that only their OT/ICS networks were impacted, 21.4% reported that both networks were impacted, and 11.9% weren’t sure.
- SANS also noted that in 38.1% of the ransomware incidents that occurred, reliability and safety were compromised. SANS observed that while ransomware appears to be on a downward trend in OT and ICS-centric networks, based on the survey data they collected, ransomware incidents on OT and ICS systems can still be dangerous to physical safety.
- Link to SANS’s Report: https://sansorg.egnyte.com/dl/5mD1Yxiybn
Apple’s 45-Day Certificate Proposal: A Call to Action
Article Link: https://www.helpnetsecurity.com/2024/11/08/apple-shorter-certificate-lifespans-proposal/
- Recently, representatives from Apple published a draft ballot to GitHub, suggesting shortening Transport Layer Security (TLS) certificate life spans from 398 days to 45 days by 2027. The suggestion follows Google’s announced intention to mandate 90-day TLS certificate validity from a year ago.
- While the shorter certificate life spans are seen as good for security, many IT and security professionals are concerned that the change would cause chaos and create additional challenges related to certificate management for security teams that are already stretched thin.
- The article highlights that Apple will likely put the change up to vote within the Certification Authority Browser Forum (CA/B Forum) in the near future. It was also noted that even if the ballot failed to be passed, Apple would likely change their browser rules to force other browsers to follow suit, something that major browsers have allegedly done in the past to push changes.
- Link to Apple’s Proposal on GitHub: https://github.com/cabforum/servercert/pull/553/commits
Five Reasons Your Business Continuity Plan Will Fail and How to Fix It
Article Link: https://edscoop.com/business-continuity-disaster-recovery-university-2024/
- The article reviews five key contributors to the failure of an organization’s business continuity plan. These include putting technology before people, rigidly planning for every aspect of events, failing to communicate, failing to practice the plan, and developing the plan solely to be compliant.
- In essence, the article emphasizes the importance of creating and actively maintaining flexible business continuity and disaster recovery documentation.
- A vital component of developing a nimble plan includes establishing what assets are most critical to the organization via exercises like business impact analyses.
- Link to FRSecure’s BIA Starter Kit: https://frsecure.com/business-impact-analysis-starter-kit/
Consumer Privacy Risks of Data Aggregation: What Should Organizations Do?
Article Link: https://www.helpnetsecurity.com/2024/11/07/data-privacy-risks/
- Recently, the Federal Trade Commission (FTC) published a report that reviews the data aggregation practices of nine major tech companies, including Meta, Amazon, and Reddit.
- The report specifically raised privacy concerns on several key topics including the collection of sensitive data, the sharing of personal data with foreign entities and third parties, and the extensive creation of detailed user profiles by data brokers.
- The article also synthesized two key ideas from the FTC’s data privacy report. Specifically, it highlighted that many large organizations have inadequate data privacy practices in comparison to the sensitivity and quantity of data they collect. Likewise, many large organizations neglect communicating their extensive data collection processes and the downstream impact of their data collection methods.
- While both the article and FTC report discuss large tech giants, there are steps that all organizations can take to operate ethically and enhance their data collection practices. Specifically, the article and the report from the FTC note that organizations can outright limit the data that they collect, restrict data sharing with third parties, and avoid collecting potentially sensitive data if the data is not truly needed.
- Link to FTC’s Report: https://www.ftc.gov/reports/look-behind-screens-examining-data-practices-social-media-video-streaming-services
SecurityStudio Seeks Support in Fixing a Broken Industry Through Education
Article Link: https://www.securitystudio.com/blog/truth-in-cyber-pledge
- It has long been said that “knowledge is power.” A key component of fixing the broken cybersecurity industry is returning power back to security professionals through intentional educational opportunities and leadership development.
- While many see the benefit of personal growth, it is easier said than done when it comes to implementing exceptional opportunities for people to develop. Good stewardship is a vital pillar of SecurityStudio’s objective to fix a broken industry and educate the masses in an effective and enriching manner.
- SecurityStudio is specifically looking for people willing to steward well, act as a catalyst for the development of educational opportunities, and ultimately help chip away at fixing the broken cybersecurity industry.
- Link to SecurityStudio Opening: https://recruiting.paylocity.com/Recruiting/Jobs/Details/2849936
