**Note: In observance of Labor Day, there will not be any Security News published for the week of September 4th – September 8th. The next posting of the weekly Security News will be published the week after (September 11th/12th).
University of Minnesota Confirms Data Breach, Ransomware Not Involved
Article Link: https://www.securityweek.com/university-of-minnesota-confirms-data-breach-says-ransomware-not-involved/
- After launching an investigation on July 21st, the University of Minnesota (U of M) has confirmed that a threat actor exfiltrated data from their systems. Although the information shared was limited, the U of M confirmed that there weren’t any system disruptions or residual malicious software on any systems.
- The attacker claims to have accessed 7 million Social Security numbers with data from as far back as 1989. The U of M didn’t confirm the type of data that was accessed or how many people were affected but noted that data from 2021 and earlier may have been impacted.
- While minimal information relating to the incident was released, the announcement from the alleged hacker suggests that this attack was an act of hacktivism relating to affirmative action as opposed to a financially motivated attack.
Ransomware Hackers Dwell Time Drops to 5 Days, RDP Still Widely Used
Article Link: https://www.bleepingcomputer.com/news/security/ransomware-hackers-dwell-time-drops-to-5-days-rdp-still-widely-used/
- A report from Sophos stated that the median network dwell time for bad actors in the first half of 2023 dropped from 10 days to 8 days, compared to 2022. Likewise, the average dwell time was identified at 15-16 days in 2023 for all cases.
- The report also differentiated between ransomware incidents and non-ransomware incidents. The time that threat actors spend on networks to launch ransomware attacks dropped from 9 days in 2022 to 5 days in 2023. Meanwhile, non-ransomware incidents increased from 11 to 13 days.
- Other key statistics included that ransomware accounted for 68.75% of all cyberattacks in 2023, RDP was used in 95% of intrusions, and attackers prefer to launch attacks late in the evening.
- Link to Sophos’ Report: https://news.sophos.com/en-us/2023/08/23/active-adversary-for-tech-leaders/
Hosting Firm Says It Lost All Customer Data After Ransomware Attack
Article Link: https://www.bleepingcomputer.com/news/security/hosting-firm-says-it-lost-all-customer-data-after-ransomware-attack/
- Certiqa Holding, who owns the Danish hosting firms CloudNordic and AzeroCloud, announced that both of their cloud hosts were the victim of ransomware attacks on August 18th.
- The attacks occurred with unfortunate timing as data center migrations were in progress, causing many servers to be connected to the main network for each organization.
- It was noted that much of the stolen data is permanently unrecoverable. Likewise, the parent company stated that the ransoms will not be paid. According to the article, the impacted hosting organizations also initially recommended that affected customers switch to different hosting providers, but this statement has since been retracted.
New Bill Would Require All Federal Contractors to Develop Vulnerability Disclosure Policies
- A bill was introduced into the U.S. House of Representatives last week that outlined the development of requirements for all federal contractors to implement vulnerability disclosure policies.
- The bill is in the early stages of the lawmaking process at this time. The proposed legislation requires the development of recommendations by the Office of Management and Budget (OMB), CISA, and NIST for the Federal Acquisition Regulation (FAR) Council to reference as a means to update federal contract requirements. Additionally, the bill calls for the DoD to develop requirements around vulnerability disclosure policies for all contractors.
- Overall, the goal of the legislation is to better centralize vulnerability disclosures between the public and private sectors and to build on previous legislation, such as the Internet of Things Cybersecurity Improvement Act of 2020.
- Link to the Proposed Bill: https://www.congress.gov/bill/118th-congress/house-bill/5255/text/ih?overview=closed&format=xml
Navigating Legacy Infrastructure: A CISO’s Actionable Strategy for Success
Article Link: https://thehackernews.com/2023/08/navigating-legacy-infrastructure-cisos.html
- As the article notes, nearly every company has some level of tech debt and a patchwork of technology and solutions that have been acquired over time. As technologies age, they often increase an organization’s risk and leave them more vulnerable to attack. While the cost to replace these technologies is often significant, the cost of a cyber incident may be worse.
- The article highlights three ways to better communicate risk to leadership. These include making risk real by quantifying it for leaders, partnering with leaders in other departments to support you, and reframing the conversation to highlight the risk of old technology and the benefits of upgrading.
- The process of changing the minds of leadership and communicating risk may be a challenging and long process. The article suggests finding ways to mitigate risk as best as possible and showing true but safe examples of threats to the organization to further highlight risks to the organization.
CISA Prioritizing On-Site K-12 Cybersecurity Reviews This School Year
Article Link: https://www.nextgov.com/cybersecurity/2023/08/cisa-prioritizing-site-k-12-cybersecurity-reviews-school-year/389592/
- This article looks at communication from the Secret Service and CISA about how they are looking to improve the cybersecurity posture of K-12 schools.
- A New Hampshire CISA representative noted that their team is prioritizing on-site cybersecurity assessments to identify vulnerabilities and provide mitigation guidance for schools and districts.
- In the wake of continued attacks on the education sector, these assessments look to review where districts are at and develop a roadmap to improve their security posture. Other organizations, like the Secret Service, noted that they can assist in Indicator of Compromise discovery as well.
Unrealistic Expectations Exacerbate the Cybersecurity Talent Shortage
Article Link: https://www.helpnetsecurity.com/2023/08/25/cybersecurity-talent-shortage-expectations/
- According to ThreatX, who surveyed 2,000 consumers in the United States and United Kingdom, 63% of those surveyed agree that if they or their children had more education around the cybersecurity field at an earlier age, they would have considered entering the field.
- Additionally, 52% say that engaging students of all backgrounds earlier in proper STEM/cybersecurity courses would help to minimize the talent shortage in the cybersecurity industry.
- According to the data highlighted by ThreatX, there was an overarching consensus that more needs to be done to ensure students from a variety of backgrounds receive access to the cybersecurity field.
- While much of the exposure work comes from schools, cybersecurity organizations have a part to play as well. Specifically, the article noted that organizations should focus on training candidates for roles, pursue diverse perspectives to fill open cyber roles, and mentor people to bring more talent into the cybersecurity field.
- Link to ThreatX’s Data (PDF): https://info.threatx.com/hubfs/ug/ThreatX-global-2023-survey-cyber-talent-shortage.pdf
