University of Michigan Requires Password Resets After Cyberattack
- Recently, the CISO and CIO of the University of Michigan informed staff, students, retirees, and alumni that they must reset their account passwords by September 12, due to a recent cyberattack.
- The notice came after an incident was disclosed on August 28th, when the University of Michigan turned off all of its systems and services in response to a cybersecurity incident.
- The University didn’t share any additional information; however, it did explain that those who don’t change their credentials would be unable to login to university services and would be required to walk through the University of Michigan’s more intricate password recovery process.
Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig
- The high-security fence company Zaun recently disclosed that they were the victim of a LockBit ransomware attack. According to Zaun, the attackers stole 10 GB of data, but were unable to encrypt any files.
- Zaun, who is an approved government contractor in the United Kingdom via the Centre for the Protection of National Infrastructure, was compromised through a manufacturing machine that used a Windows 7 operating system. From there, attackers worked their way to the organization’s servers.
- Although Zaun believes that no classified data was exfiltrated, the attack highlights how bad actors are continuing to attack the third parties of key entities.
Old Vulnerabilities are Still a Big Problem
- On September 4th, Qualys published a report that identified the top 20 most exploited vulnerabilities that they have observed. As the report notes, many of the vulnerabilities are several years old and all of the top 20 have available patches or micro-patches or ways to mitigate the vulnerabilities.
- According to the report, 15 of the top 20 vulnerabilities were attributed to Microsoft products. Likewise, only five of the vulnerabilities were identified within the last three years. Several of the other 15 vulnerabilities dated as far back as 2012.
- As the article states, users should work on implementing available patches sooner rather than later.
- Link to Qualys’ Report: https://blog.qualys.com/vulnerabilities-threat-research/2023/09/04/qualys-top-20-exploited-vulnerabilities
UK Boards Are Growing Less Concerned About Cyber-Risk
- According to a report from Proofpoint, which compiled interviews with 659 board members at organizations with over 5,000 employees in different sectors across 12 countries, 73% feel at risk of a material cyberattack and 53% feel unprepared to cope with a targeted attack, compared to 65% and 47% in 2022 respectively.
- Additionally, while concerns around cybersecurity risk have grown elsewhere, it was noted that board members in the United Kingdom have seen these concerns drop significantly. In 2022, 76% of UK board members were concerned about cybersecurity. According to Proofpoint, this has dropped to 44% in 2023, likely due to a decrease in regular communication between CISOs and board members.
- Proofpoint’s report also found several overarching trends as well. Specifically, generative AI has the attention of boards, awareness and funding don’t equate to preparedness, and board-CISO relationships are gradually improving.
- Link to Proofpoint’s Report: https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-second-annual-board-perspective-report-reveals-nearly-three-five
Key Cybersecurity Tools That Can Mitigate the Cost of a Breach
- This article looks at beneficial ways to interpret reports from leading cybersecurity organizations. Specifically, it highlights an effective way to dig deeper into IBM’s “Cost of a Breach” report, which identified that the average cost of a breach was $4.45 million.
- The article highlights that organizations should consider their industry-specific risk and understand their attack surfaces. Ultimately, organizations must know before they can act appropriately.
- Other topics discussed include the financial and functional importance of detecting stolen credentials quickly and rapid incident response. In both cases, the impact of cyberattacks and their overall cost can be mitigated drastically by a quick response to abnormal system activities.
- A key insight from the article is that organizations with an understanding of where their vulnerabilities lie, accurate views of their attack surface, an effective incident response plan, and tools for dealing with compromised credentials will suffer fewer breaches.
Microsoft, Google Take on Obsolete TLS Protocols
- Both Microsoft and Google have recently started taking steps to drastically limit the usage of TLS 1.0 and TLS 1.1, which have been used since 1999 and 2006 respectively.
- Google is trying to shorten the lifetime of TLS certificates to 90 days, instead of 398 days, as a means of encouraging the usage of more secure protocols.
- Microsoft is planning to disable TLS 1.0 and 1.1 for devices using Windows 11 and any future Windows versions. TLS 1.0 and 1.1 will still be available to support applications that can’t be updated.
- The article recommends inventorying TLS endpoints and then upgrading to TLS 1.2 or 1.3, if possible.
CISA Director: Critical Infrastructure Cyber Incident Reporting Rules Almost Ready
- According to CISA, the final work is being completed to rollout incident reporting requirements for critical infrastructure, originally mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The final rulemaking is slated to be released in either late 2023 or early 2024.
- Under CIRCIA, CISA is required to develop requirements for critical infrastructure organizations to report major cybersecurity incidents and any ransomware payments to CISA.
- While CISA has worked to develop clear requirements and a process for sharing incident information between critical infrastructure organizations, all reporting has been voluntary.
- Link to CIRCIA Overview: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
- Link to More CIRCIA Information: https://www.federalregister.gov/documents/2022/09/12/2022-19550/cyber-incident-reporting-for-critical-infrastructure-act-of-2022-listening-sessions
6 Free Resources for Getting Started in Cybersecurity
- This article highlights several resources that provide opportunities for people to learn more about cybersecurity and professional development.
- As the article highlights, jobs in cybersecurity aren’t merely tech-centric roles but multidimensional positions that require a unique blend of instincts, attention to detail, and exceptional communication and problem-solving skills.
- The six resources noted in the article include CyberSeek, the Federal Virtual Training Environment (FedVTE), Hacksplaining, PBS Cybersecurity Lab, the Workforce Framework for Cybersecurity (NICE Framework), and W3Schools’ Cyber Security Tutorial.
- Link to Additional Resources from the NICCS: https://niccs.cisa.gov/cybersecurity-career-resources/featured-stories/new-updated-cybersecurity-resources-students