Todd Fitzgerald

Thanks to the good people at Claroty, I found services that list OT/ICS attacks! Some great material here: Newsfeed style: https://icsstrive.com/ Database: https://lnkd.in/e8KM7fJw, https://lnkd.in/eJkM9UYJ But what's interesting? None of them are complete... There was an attack on a Texas water treatment plant in January by, potentially, SANDWORM. It's not on either list. Complete databases will help us with complete information that will need to better decision-making and a fuller intuition. So, if you know of attacks that are not on these lists, use the Report button to add them. #cybersecurity #otsecurity

8

CISO reporting to 'The Board'...Scary? Yeah probably. It should be. Its real accountability, and an open challenge to your visions and strategies, and your ability to execute accordingly. As a CISO, I often get questions about how to present to 'The BoD' directly. Truth is, there's no single model - Every business is different, and every Board is different. But you know that already cuz you're in a position of leadership and discernment for a reason :) The right message always remains the same- How does your own leadership role, function, and focus contribute to the greater good of the organization? How does it help the business to determine where and how to accept and navigate risk? Not just avoid it. Sounds simplistic. But you may be surprised how many CISO messages don't answer that basic inquiry sufficiently. Your message, at this level, needs to clearly align to a broader forward-looking strategic narrative. If it doesn't, it doesn't resonate, and you haven't positively moved the needle. You never want to be the best checkers player in a chess match. I’m looking forward to demystifying this exact topic at the CISO ExecNet National Member Symposium July 23rd at the Willis Tower in Chicago with colleagues Eric Galis, Susanne Elizer Senoff, and Michael Calderin. #cisoexecnet #ciso #executiveleadership #boardreporting

130

7 Comments

For anyone still dealing with the fallout of the Crowdstrike/Windows issue; I wanted to give a tip that we are using with some success to automatically and centrally remediate systems that match a certain set of characteristics. This isn't a "silver bullet" to fix all systems everywhere, but where it works it doesn't require bitlocker keys, safe mode, or preboot environments. The system has to be boot looping or restarted. The opportunity that allows this to work: we identified that most systems which are crashing actually get far enough into the boot process that the network stack and Windows Server service are starting, briefly. We see a few second window when the system is available on the network before Crowdstrike fully loads and the system crashes. This also why some systems "self-heal." During the brief period before the crash, Crowdstrike may have enough time to download the fixed channel update before the system crashes, This small network availability window has given us a way to delete the channel file using a delete command from another system on a UNC path to the impacted system. There are a number of caveats that limit the success of this approach: 1. Host must using a wired network connection (wireless may work, but we haven't been able to definitively test) 2. The host IP must be known or resolvable via DNS (the system is "on" the network for less than 12 seconds, so this is often a problem). 3. The script must be run from a fully functional system, in the context of a credential that has previously established (before the Crowdstrike channel update) local workstation administrator level privilege 4. Executing against a single host one at a time has shown a higher rate of success than executing against a large number of hosts or an entire network range in parallel. In other words, this isn't a guaranteed fix. Said another way, this seem to have the highest success against wired hosts that are continually boot looping. Please comment if you find other constraints or errors in my list. A system can be tested to see if this approach will possibly work by continually pinging the IP address of a system that is crashing, while its crashing. There will be a string ping failures followed by a few replies then failures. While the system is able to reply to the ping, the delete command can be run. We originally triggered the script once we saw an ICMP reply, but are having better success just executing the delete against the UNC path against whole subnets repeatedly. In a "healthy" system, executing the delete against a UNC path will result in a delete failure as Crowdstrike appears to have the (fixed) channel file in use/locked. If the 'delete \\[hostip/hostname]\[UNC path to CS channel file]' command succeeds, the system boots normally into windows. If it doesn't, the system will BSOD again.

197

19 Comments

May be expensive but worth it.

1

Ever since the crippling ransomware attack on Colonial Pipeline in 2021, the importance of incident reporting for cyberattacks has been a high-profile topic. Among other things, this led to the US Congress passing the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Now CISA has published a notice of proposed rulemaking to fully establish this new data breach reporting mechanism, with the potential to dramatically overhaul the workloads of most cybersecurity professionals. CISA's rules are robust, encompassing a broad scope of cyber incidents and ransom payments that covered entities must report, and how the rules apply across 16 US critical infrastructure sectors. These rules will likely undergo major changes before CISA publishes its final rule (anticipated in 2026), but it gives the industry a glimpse into its future, marking a major shift in how incidents like these will be reported in the future. #Cybersecurity #Cyberattacks #Compliance #IncidentResponse

23

If your an MSP/MSSP, get your documentation in order. MSA, Service Description, Product Description and SOWs are all important. And for those customers with low security maturity levels, be sure to use a document like the Cyber Constitution that Eric Tilds and I put together to lock in a commitment to budget and improve that security posture. If you don't know Eric, look him up. He built and sold an MSP and is a commercial lawyer who has performed landmark work in the MSP/MSSP Managed Service Agreement space. Eric and I worked several months to build a document that can mitigate risk when dealing with low cybersecurity skilled customers. Stop walking away from those that need your help the most. Protect yourself by all means, but help those that need it! This document has been released to the public domain under a specific license. www.cyberconstitution.org

29

2 Comments

I love audits! ❤️ This sounds crazy to most, but one of my main jobs is advising teams on how to meet the NIST/Compliance controls. The controls do a good job of setting expectations, but they don't describe "how" you should meet those controls. Much of what I do is translating those controls in to technical solutions and advising teams on how to implement them. I'm not a compliance guy. I've never worked in a GRC team. I'm the glue between GRC and engineering teams. De-mystifying the requirements (even the unpublished ones 😂 ). So when audits come around, they are like a test for me. They say in no uncertain terms whether I've adequately prepared the teams and company. When audits are clean and there are no surprises, it's such a satisfying feeling.

41

2 Comments

I see TAs looping over wevtutil and deleting event logs on any.run and various reports. Why? Anyone wants to fill me in - please let me know. I get the action is defense evasion. Most orgs send logs to a SIEM. Are they catching and deleting the logs prior to the SIEM push? Let me know. #cybersecurity

1

McGee (2024) wrote HHS OCR said its investigation into Heritage Valley's incident discovered multiple potential violations of the HIPAA Security Rule. They include failures by Heritage Valley to: conduct a HIPAA security risk analysis, implement a contingency plan to respond to emergencies such as ransomware attacks, and implement policies and procedures to allow only authorized users access to electronic protected health information. This is why I jump up and down to get my clients to simply implement proactive cybersecurity measures. I try to persuade them to implement a cybersecurity strategy with risk, program, and control frameworks backed by valid, reliable, and defensible information security standards like those published by CIS, NIST, and ISO. We advise them to start with a risk assessment...which is not a technology assessment, not an IT assessment, not a controls assessment, not a...well you get the point. Contingency plans are simple...they start with a business impact analysis (BIA), which is also informed by risk assessment results. Responding to ransomware attacks could be addressed by implementing an incident response policy, plan, and conducting tabletop exercises. Three simple controls. THREE. What happened here was a failure of the Heritage Valley executives to recognize the difference between information technology and information security and failure to assign separate budgets, staffs, and an executive leader who was on the same structural level as the other "C-suiters" who reported to the CEO. We must do better. Plain and simple. In addition, STOP the reliance on the accountant developed SOC-2 report as a blanket approval in the evaluation of your third-party vendors' "cyber-worthiness". We have to drive home the fact that all sustainable cyber strategy starts with a risk assessment, endorsed by executives who create separate information security governance and management structures. I have a solution methodology...and it works. #cybersecurity #governance #securitymodels #standards #CIS #NIST #ISO #riskassessment #ciscontrols #executives #CISO #CIO #informationtechnology #standards https://lnkd.in/gVSDbyXR

2

1 Comment

If you are (or ever were) a Sisense user, it is critical to change your password (and change that same password anywhere else you are using it). #Sisense #Sisensebreach #cybersecuritynews #CISAalert #cyberaware #cybersecurity

4

CMMC Level 2 Assessment Objective: Alternative Work Sites PRACTICE: Organizations must enforce safeguarding measures for containing controlled unclassified information (CUI) at alternative work sites. ASSESSMENT: Alternative work sites may include government facilities or the private residences of employees. Organizations must define and implement safeguards to account for protection of CUI beyond the enterprise perimeter. Safeguards may include physical protections, such as locked file drawers, as well as electronic protections such as encryption, audit logging, and proper access controls. Be prepared! Your assessor could ask to: 🔍 EXAMINE a list of safeguards required for alternative work sites 🗣 INTERVIEW personnel approving use of alternative work sites 📝 TEST organizational processes for security at alternative work sites (CMMC Assessment Guide: Level 2 Version 2.11, page 186) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

47

The City of Cleveland has experienced a significant cyberattack, leading to a precautionary shutdown of their IT systems. Here's what you need to know: Incident Overview: The attack disrupted critical services, forcing the city to disable its IT systems to prevent further damage and secure sensitive data. Services Affected: Key government operations and online services have been impacted, highlighting the vulnerability of municipal IT infrastructure. Response and Recovery: City officials are working diligently to restore systems, assess the breach's extent, and reinforce cybersecurity measures. https://lnkd.in/eqfst-td This incident underscores the urgent need for robust cybersecurity practices in local government. Continuous monitoring, timely updates, and a solid incident response plan are crucial to protect against such attacks. Until all organizations take cybersecurity posture and education seriously we will continue to see incidents such as this one. #CyberSecurity #CityOfCleveland #ITSecurity #CyberAttack #RiskManagement

3

Saturday morning head scratcher. Let's unpack this plan with a stroll down history lane. HITECH Act passes 2009. EMRs are mandated and implementation is rewarded through Meaningful Use and then, if the EMRs were not adopted by 2015, CMS was going to punish those who did not adopt the EMR. EMRs are now ubiquitous. And they cost a lot of money to maintain. And PHI has high value for hackers. Here are some interesting numbers: The average IT operating expense budget across approximately 4,660 hospitals is $7.8 million. This is about 3% of the average total hospital operating expense of $209 million. Where does the money go? Hardware, software, training, and ongoing fees and maintenance. How much of the budget is spent on keeping the system secure? It depends on the organization. And there is this.... Eighty-eight percent of surveyed healthcare organizations experienced at least one cyberattack in the past year (2023), leading to strained patient care and increased costs. From the article.... The American Hospital Association has long opposed cybersecurity requirements for hospitals, saying any fines or CMS reimbursement cuts would impinge health systems' ability to fight hacks. "The primary source of cyber-risk exposure facing the healthcare sector originates from vulnerabilities in third-party technology and service providers, not a hospital's primary systems," the association told Bloomberg. "The AHA supports a sectorwide approach to cyber-resiliency. We will continue to work with policymakers on an approach that doesn't result in unfunded mandates and a focus on the entire critical infrastructure of the healthcare sector." The recent Change attack was not hospital-based. And the AHA is correct in its position statements--a sector wide approach is needed. This proposal won't accomplish much. Much more needs to be done.

12

Several great demos this week showing how to navigate the CISA Secure Software Attestation process using the CISA RSAA portal. Two more demos are scheduled for next week. The date when US Government Agencies will begin collecting these attestations is right around the corner, starting June 8, 2024. Software vendors really should begin preparations ASAP to submit their CISA Secure Software Attestation Forms and other artifacts, like SBOM's, POA&Ms, Vulnerability Disclosure Reports (VDR) and Vendor Response Forms (VRF) in the RSAA portal. Reliable Energy Analytics LLC organizes its CISA attestation submittal package using the open-source vendor response form (VRF) that was demonstrated by the IETF SCITT Hackathon in July 2023. https://lnkd.in/ebwVHr8v There are many unanswered questions, using solely the Secure Software Attestation Form, that government officials will want to know answers to when evaluating software products submitted to the RSAA portal. Here are a few of the items that are missing, which are addressed in the Vendor Response Form: - Is the software producer foreign owned? - Does the product contain foreign technology that may be prohibited by the US Government? - Is the product currently supported? - What is the commercial status of hte product; is it end of life? - What requirements within the secure software attestation form is the software producer unable to attest to and require a POA&M? These are just a few of the items that federal officials will be considering when they evaluate a software product as part of the CISA secure software attestation form evaluation process that will require the additional information provided in a Vendor Response Form (VRF), POA&M, SBOM and VDR artifacts that software producers should consider uploading to the CISA RSAA portal along with their attestation forms to eliminate the "back-forth" questioning that can occur when a attestation form alone is uploaded to the CISA RSAA portal. It is in the software producers best interest to supply this additional material/artifacts, up front with the attestation form in order to ensure efficient processing and approval of their products under the OMB M-22-18 Software Attestation and evaluation process. An open source VRF template is available here to help software vendors prepare to "pass the attestation form test'; https://lnkd.in/eQq5JXHa

3

"And what about the OT Security?" 🤔 Who is responsible for protecting operational technology in your company? CISO? CIO? COO? Today, I have a little weekend read for you. The Ponemon Institute released the study "Managing Access & Risk in the Increasingly Connected Operational Technology (OT) Environment" 📊 Here are my 3 most important takeaways: 1️⃣ Spotting Gaps: The study uncovers significant disparities in managing OT systems access and risk. From risk mitigation to oversight of third-party access, there's plenty of room for improvement. 2️⃣ Battling Third-Party Risks: Unauthorized access and data breaches are real threats. It's crucial to heighten awareness of third-party access risks and implement robust mitigation strategies. 3️⃣ Embracing Connectivity: Increased IT/OT integration isn't just about efficiency—it's about security too. By enhancing collaboration and response capabilities, we can better safeguard against unplanned asset downtime and bolster overall resilience. You can find the full report, which is well worth reading, here: https://lnkd.in/dtNh58Q8 Have a great weekend! #OTSecurity #RiskManagement #CyberResilience 🛡️🔒

42

9 Comments

Whether you're a Covered Entity or a Business Associate, it's crucial to understand your role and ensure everyone’s prepared when a data breach hits. Read and listen 👉 Link in comment #HIPAA #InfoSec

7

1 Comment

Interesting stats for 2024. Seems Healthcare is again the big focus or the easiest targets. Just sharing for increased awareness for our Healthcare folks... Unfortuanately cybersecurity is a bit like you and a buddy outrunning a bear. You can't outrun the bear, but you can outrun your buddy. Increase your hygiene and they look else where...just the truth, these criminals are lazy too, make it hard on them and they go away to an easier target. https://lnkd.in/gV7tfMVb

2

I'm assembling the findings and other artifacts of six years of R&D that led to the development of Federated Cyber-Risk Management (FCR). FCR is a proven methodology for implementing shared responsibility for cyber risk management and the cornerstone practice of a family I've named Federated Cybersecurity. Built on principles similar to elements of Total Quality Management (TQM), these practices aim to do for cybersecurity what TQM did for quality...trigger an evolution toward whole-organization participation. I have already assembled my insights and results into several whitepapers, have developed several process tools and requirements lists for enabling platforms, and am turning some of this content into a book. Next, I'd like to explore the potential to share these insights with independent IT consultants and firms as a way to accelerate adoption of the methodology. While we have considerable evidence of success already and one enabling solution has already been launched, I am only one person and I have only one team. We will need an army of people trained to help organizations adopt FCR if we are to make a dent in the rates of human-enabled breaches. So, I am looking for consultants and service providers who would like to be involved in the ground floor of this expansion of FCR from being a service exclusive to my company to being one with broad reach made possible through partnerships. For the sake of clarity, I don't have a partnership program yet. I'm looking for potential partners who want to work with me to collaboratively define the parameters of such a program in a way that works for us both. If you are interested, please contact me here on linkedin or at sonya@szg-tech.com.

2