Tag Archive for: requires

Feds say Microsoft security ‘requires an overhaul’ — but will it listen? – Computerworld

/in


What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others. 

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said…

Source…

American national security requires smart spectrum planning

/in


The United States has always been on the cutting edge of tech. Our free-market system enabled us to win the race to 4G, helped unleash the app economy, and allowed us to get to 5G faster than others. Our country’s leadership in tech helps secure the nation’s economic power and protect national security so the United States continues to serve as a beacon of peace and democracy.

Technology should be a force for good in the world. Our national security, and the security of other nations, is tied to our ability to keep up with and get ahead of emerging technologies. I’m encouraged to see that Congress is working together to implement a national spectrum policy. America needs a national strategy to make sure there is enough spectrum to build out 5G networks and not fall behind China.

Spectrum refers to the radio waves on which we transmit data, and it serves as the foundation for many of the wireless networks that power our lives, including 5G. Spectrum is the lifeblood of technological innovation — including advancements in national security that power our weapons systems and intelligence operations.

5G is quite literally the fifth generation of wireless connection, and it serves as a crucial foundation for innovations and advancements in the near and not-too-distant future. Alarmingly, America does not have enough spectrum in the pipeline to build out secure and reliable 5G networks. According to a paper by Analysys Mason, the United States ranks 13th in terms of available licensed spectrum — significantly behind nations such as China, Brazil and Saudi Arabia.

One reason why is that the United States has overallocated spectrum to unlicensed use. This type of spectrum is available to the public and has important uses, but it’s not the foundation of secure and reliable 5G networks. Unlike managed licensed spectrum, unlicensed spectrum faces interference, and devices connected to unlicensed spectrum aren’t always assessed for security concerns. Indeed, when it comes to security, users of unlicensed spectrum have varying incentives, capabilities and technical skills, resulting in more cybersecurity risks than those who use managed licensed…

Source…

Internet AppSec Remains Abysmal & Requires Sustained Action in 2023

/in


Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

“Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?” he says. “You’ve stripped away those protections and defenses.”

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

The Software Supply Chain’s Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users’ human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

“The…

Source…

HIPAA requires ‘timely response’ for security incidents, says alert to health sector

/in


People wait outside a hospital emergency room in Texas. (Photo by Brandon Bell/Getty Images)

Not only will a timely response to security incidents prevent and reduce recovery time from cyberattacks, the Health Insurance Portability and Accountability Act requires covered entities to implement policies to address incidents, according to the cyber bulletin from the U.S. Department of Health and Human Services’ Office for Civil Rights.

To OCR, the rise of hacking incidents across all sectors is cause for concern. About 74% of all healthcare data breaches reported to the agency in 2021 involved hacking or IT incidents, which makes hacking “the greatest threat to the privacy and security of protected health information.”

Consider the latest spate of cyberattacks and related periods of electronic health record downtime in healthcare. The outage at OakBend Medical Center in Texas lasted for about three weeks and led to care diversion during the initial days, as well as the theft of patient data. Patients were also hit with fraud attempts in the wake of the incident.

Meanwhile, CommonSpirit Health was struck with ransomware on Oct. 3 and has led to care disruptions at a portion of its 700 care sites and 142 hospitals across the country. Local media outlets note that many of these impacted hospitals are still working to recover several weeks after the attack. CommonSpirit has not issued an update since Oct. 17.

Based on the financial reports of health systems following several weeks of network outages, cyberattacks can cost upwards of $1 million per each day of downtime. For Scripps Health, a month of downtime after its 2021 cyberattack cost $122.7 million in lost revenue and recovery.

“Security incidents will almost inevitably occur during the lifetime of a regulated entity,” OCR officials wrote. Adhering to the HIPAA-required security incident response plan can enable providers to effectively pivot and recover from potential cyber incidents.

These plans should include methods for identifying and responding to security incidents, as well as mitigating possible harmful impacts and documenting each incident and the outcomes.

Incident response processes should begin with forming a team with…

Source…