ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we highlight the challenges with enforcement of reporting rules. The transfer of responsibility for data management and security. Cyber risks affecting some of the largest technology providers (Microsoft, Palo Alto and Dropbox).
REGULATORY CORNER
Cybersecurity and Infrastructure Security Agency (CISA) faces resource challenge in implementing cyber reporting rules.
After the Cybersecurity and Infrastructure Security Agency’s 447-page proposal for when critical infrastructure entities will have to report breaches landed with a heavy thud last week, experts say that now comes the hard work of figuring out whether the agency has the resources it needs to implement the requirement and digesting the huge amount of data it is about to receive. This notice of proposed rulemaking sets the stage for a landmark shift in how the U.S. government understands the prevalence and severity of cybersecurity incidents.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 creates for the first time requirements for critical infrastructure owners and operators to notify the government when they have been breached. The proposed rules represent CISA’s guidelines for how and when incidents are reported.
Notes
Undoubtedly, collecting data pertaining to cyber incidents is paramount for bolstering defenses against future attacks. The challenge lies in determining the relevance of data and recognizing when data collection might hinder rather than help efforts. A critical consideration is the definition of a “cyber incident” for reporting purposes. If the definition is overly broad, it could inundate systems with excessive data, making it impractical for actionable insights. Conversely, if the definition is too narrow, pertinent data may be overlooked, creating gaps in risk mitigation strategies.
Finding the balance between inclusivity and specificity in defining cyber incidents is essential for effective data gathering and subsequent defense strategies. Careful calibration is required to ensure that collected data is both comprehensive and actionable, without overwhelming the system or missing crucial insights.
CISA faces resource challenge in implementing cyber reporting rules | Cyberscoop
ENFORCEMENT NEWS
FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data
The U.S. Federal Communications Commission (FCC) levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent. The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
Notes
Two critical focal points emerge from this incident: data protection and third-party risk management. While the repercussions of this event resonated with both consumers and businesses, it underscores the imperative of comprehending the nature of data linked to our everyday technologies, alongside the protocols for its storage, management, and security. Furthermore, it accentuates the significance of third-party risk management, emphasizing the necessity to grasp how our counterparts utilize the data we entrust to them through the services or technologies we employ. This incident serves as a sobering reminder of the intricate web of data interconnectivity in today’s digital landscape, urging for heightened vigilance and proactive measures in safeguarding sensitive information.
FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data | KrebsonSecurity
CYBER NEWS
Exploitation of vulnerabilities almost tripled as a source of data breaches last year | Cyberscoop
Attacks that relied on the exploitation of vulnerabilities as their key path to a breach leaped a remarkable 180% last year compared to the year before, driven in large measure by the sweeping MOVEit hack, according to the annual Verizon data breach report released Wednesday.
Palo Alto Networks fixes zero-day exploited to backdoor firewalls | Bleeping Computer
Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls. This maximum severity security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled. Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don’t require user interaction.
Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report | SecurityWeek
In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, Microsoft committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants. The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.
Dropbox Breach Exposes Customer Credentials, Authentication Data | DarkReading
Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services. The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.
DECODE THE TERMS
Virtualization – the process of creating a virtual version of a computing resource, such as a server, storage device, or network, allowing multiple virtual instances to run on a single physical machine.
Zero Trust Security Model – a security approach based on the principle of “never trust, always verify,” where access to resources is strictly controlled and authenticated, regardless of whether the user is inside or outside the network perimeter.
End-to-End Encryption – a method of securing communication that encrypts data in such a way that only the sender and intended recipient can access it, even if intercepted during transmission.
SSL/TLS Encryption – Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide secure communication over a computer network, commonly used for securing web traffic, email communication, and VPN connections.
Security Incident and Event Management (SIEM) – a software solution that provides real-time analysis and correlation of security events and logs from various sources, allowing organizations to detect and respond to security threats more effectively.