ELTENI’S CYBER SCOOP

Latest News

In this newsletter, we highlight CISA’s plan to align cybersecurity initiatives for federal agencies, continued enforcement of cyber-crimes targeting financial services, targeted attacks on US infrastructure American Water Works.

REGULATORY CORNER

CISA Releases Plan to Align Operational Cybersecurity Priorities for Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.

The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities.  The priority areas for FCEB agencies are Asset Management, Vulnerability Management, Defensible Architecture, Cyber Supply Chain Risk Management (C-SCRM), Incident Detection and Response.

Notes

The standardization of cybersecurity focus areas could drive a convergence of efforts in managing cyber risk. By coordinating efforts across organizations, this alignment may result in more efficient and effective risk mitigation, streamlined reporting, and enhanced transparency. While individual organizations may have varying requirements and risk tolerances, identifying common areas of focus ensures that everyone is speaking the same language and equally committed to preventing and resolving cyber incidents.

CISA Releases Plan to Align Operational Cybersecurity Priorities | CISA

ENFORCEMENT NEWS

British National Arrested, Charged for Hacking US Companies

The Department of Justice and the SEC announced charges against a British national for hacking into the systems of five US companies.  The man, Robert Westbrook, 39, of London, was arrested in the UK and is awaiting extradition to the US to face computer, securities, and wire fraud charges.

 According to court documents, between January 2019 and May 2020, Westbrook hacked into the email accounts of corporate executives at five US companies, by resetting their passwords.  The complaint also alleges that Westbrook attempted to conceal his identity by using VPN services, resorting to anonymous email accounts, and utilizing bitcoin.

Notes

This news underscores the ongoing efforts to identify, track, and apprehend cybercriminals. The incident highlights the prevalence of Business Email Compromise (BEC) within the broader landscape of cybersecurity threats and illustrates how email remains a key vulnerability for accessing sensitive data. It’s critical not only to implement robust cybersecurity measures, such as strong access controls and email protections, but also to practice good data hygiene—ensuring that sensitive information stored in emails is properly safeguarded through measures like encryption at rest and in transit. These steps help mitigate the risk of data loss in the event of a breach.

British National Arrested, Charged for Hacking US Companies | Security Week

CYBER NEWS

Kaspersky deletes itself, installs UltraAV antivirus without warning | Bleeping Computer

President Biden issued an official ban on the sale and software updates for Kaspersky in the US beginning September 29, 2024.  In early September, Kaspersky emailed customers, assuring them they would continue receiving “reliable cybersecurity protection” from UltraAV (owned by Pango Group) after Kaspersky stopped selling software and updates for U.S. customers.  However, those emails failed to inform users that Kaspersky’s products would be abruptly deleted from their computers and replaced with UltraAV without warning.

Fortinet confirms data breach after hacker claims to steal 440GB of files | Bleeping Computer

Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices.  The cybersecurity giant has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft SharePoint server.  The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

Cyberattackers Use HR Targets to Lay More_Eggs Backdoor | Dark Reading

A long-active threat group (FIN6) known for targeting multinational financial organizations has been impersonating job seekers to target talent recruiters. The method is a spear-phishing campaign spreading the “more_eggs” backdoor, which can execute secondary malware payloads.  FIN6 appears to be “moving from posing as fake recruiters to now masquerading as fake job applicants” in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

American Water Works reports cybersecurity incident following unauthorized hacker activity | Industrial Cyber

American Water Works Company, a U.S. public utility, reported in a Securities and Exchange Commission (SEC) filing that on October 3, it discovered ‘unauthorized activity’ in its computer networks and systems, which it identified as a cybersecurity incident.  Although American Water Works is currently unable to predict the full impact of this incident, it does not expect the incident will have a material effect on the company, its financial condition, or the results of operations.

DECODE THE TERMS

SASE (Secure Access Service Edge) – is a cybersecurity framework that integrates network security functions (such as firewalls, secure web gateways, and zero-trust network access) with wide-area networking (WAN) capabilities, such as software-defined WAN (SD-WAN). SASE is designed to deliver these services as a cloud-based solution, offering secure and seamless access to applications, data, and services, regardless of where users or devices are located.

ZTNA (Zero Trust Network Access) – is a cybersecurity model that provides secure remote access to an organization’s applications and services based on the principle of “never trust, always verify.” Unlike traditional network access solutions (like VPNs), which grant broad access to users once authenticated, ZTNA only allows access to specific applications and resources based on strict identity verification and the least-privilege principle.

 MAM (Mobile Application Management) – is a security approach focused on managing and securing individual apps on mobile devices, without needing to control the entire device.  MAM is particularly useful in environments where employees use their personal devices for work purposes, a concept known as Bring Your Own Device (BYOD). With MAM, organizations can manage and secure corporate apps and data separately from personal apps and data, ensuring a balance between security and privacy.

MDM (Mobile Device Management) – is a cybersecurity solution used to manage and secure mobile devices such as smartphones, tablets, and laptops within an organization’s IT infrastructure. MDM provides IT administrators with the ability to monitor, manage, and enforce security policies across all devices that access corporate data and applications.