SecureTheVillage

Cybersecurity News of the Week

Cybersecurity News of the Week, June 2, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

The United Healthcare story in Section 3 shows Senator Ron Wyden taking on the company for having inadequate cybersecurity expertise on its Board. Bob Zukis’ Forbes story in Section 4, picks up Wyden’s thread, pointing out how United Healthcare’s Board set its CEO up for failure. The plain fact is that the head of every organization needs cybersecurity management expertise sitting at the table. This is true for the Board of a publicly traded company with revenues north of $1 billion. And it’s true for the Executive Director of a $1,000,000 nonprofit organization.

Managing cybersecurity requires an understanding of the business risks of cybercrime, up-to-date knowledge of where their organization is vulnerable to cyberthreats, the defensive countermeasures in place that can block attacks, and a thorough tested Incident Response Plan for what to do when the inevitable cyberattack succeeds. As our weekly stories of cybercrime continue to show, this is not a job for amateurs.

From SecureTheVillage

  • Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
  • IT Service Provider / MSP? Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need.
  • The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
  • Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 
  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
  • Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM

Cybersecurity Nonprofit of the Week … Nonprofit Cyber

Great kudos to Nonprofit Cyber. Nonprofit Cyber is a 40-member coalition of cybersecurity nonprofits focused on tangible results.  Coalition members collaborate, work together on projects, voluntarily align activities to minimize duplication and increase mutual support, and link the community to key stakeholders with a shared communication channel. Nonprofit Cyber has compiled the Nonprofit Cyber Solutions Index, a comprehensive index of actual cybersecurity capabilities provided by the nonprofit community. In particular, the index identifies a large selection of free or low-cost cybersecurity capabilities for individuals, small businesses, and others left behind in the current environment. SecureTheVillage is a proud member of Nonprofit Cyber.

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

From The Wall Street Journal, an excellent overview of browser privacy.

  • These Internet Browsers Promise Privacy. What Does That Actually Mean?: Some browsers are designed to thwart online trackers and targeted advertising, among other things. Here’s what you need to know. … For consumers who worry about marketers and others tracking them online, there are internet browsers that make privacy a priority. … What exactly do they do—and do they deliver?

Android owners. Make sure you’re smartphones are clean.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

In national cybersecurity news, the White House released Version 2 of its National Cybersecurity Strategy.  Three stories illustrate the Administration’s work in disrupting cybercriminals and in holding organizations accountable for poor cybersecurity management. And the last story is an example of how the Administration is helping the healthcare industry better protect itself in the wake of the United Healthcare, Ascension and other breaches.

  • Fact Sheet: Biden-Harris Administration Releases Version 2 of the National Cybersecurity Strategy Implementation Plan: Read the full Implementation Plan here. … Today, the Biden-Harris Administration released Version 2 of the National Cybersecurity Strategy Implementation Plan which outlines actions the Federal Government is taking to improve U.S. national cybersecurity posture.  This updated roadmap describes 100 high-impact Federal initiatives, each intended to substantively increase our collective digital security and systemic resilience.  These critical implementation actions are informed by the challenges and opportunities we face in cyberspace, as identified in the 2024 Report on the Cybersecurity Posture of the United States
  • 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation: Botnet Infected Over 19M IP Addresses to Enable Billions of Dollars in Pandemic and Unemployment Fraud, and Access to Child Exploitation Materials. … A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations. … As part of this operation, YunHe Wang, 35, a People’s Republic of China national and St. Kitts and Nevis citizen-by-investment, was arrested on May 24 on criminal charges arising from his deployment of malware and the creation and operation of a residential proxy service known as “911 S5.” … According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.
  • How the DOJ is using a Civil War-era law to enforce corporate cybersecurity: Amid an onslaught of high-profile cyberattacks showing how companies often neglect basic security measures, the Department of Justice is trying to use a law passed during the Civil War to put businesses on notice that these failures are unacceptable. … Under the umbrella of DOJ’s Civil Cyber-Fraud Initiative, U.S. government attorneys have since early 2022 deployed the pointedly named False Claims Act to punish contractors that mislead the government about their cybersecurity defenses, hoping to send a shot across the bow of other vendors that aren’t complying with rules intended to fend off hackers. … It’s an approach that reflects the goals in President Joe Biden’s National Cybersecurity Strategy, which emphasizes holding companies to a higher standard of cybersecurity and shifting the burden of combating hackers from customers to vendors. … The government has already closed five cyber-fraud cases as part of the initiative, with the defendants ranging from a rocket manufacturer to a web hosting firm to the telecom giant Verizon. And despite the business community’s concerns about the burden of another new accountability measure for cyber negligence, the Justice Department is promising more investigations in the months ahead. … “We are seeing a steady tempo of cases,” a senior Justice Department cyber official said in an interview, “and there’s going to be more to come.”
  • $10 Million SEC Fine for Intercontinental Exchange Over Delayed VPN Breach Report: Intercontinental Exchange (ICE) and its subsidiaries acknowledged the violation and agreed to pay the fine without admitting or denying the SEC’s findings. This incident highlights the critical importance of prompt cybersecurity breach reporting within an organization and its subsidiaries. … The SEC fined Intercontinental Exchange $10 million for failing to promptly report a 2021 security breach on its VPN, potentially compromising employee data. … The delay in notifying subsidiaries hampered their ability to assess the incident and fulfill disclosure requirements under Regulation SCI.
  • HHS to Invest $50M in Cybersecurity for the Healthcare Industry: The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, announced in a news release on May 20 the launch of the Universal PatchinG and Remediation for Autonomous DEfence (UPGRADE) program. This effort will invest over $50 million in tool creation for cybersecurity in healthcare systems. … According to the press release, UPGRADE will “enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software.” Once a threat is identified, a patch can be tested and implemented with minimum interruption.

These next two stories are but two examples of the cybersecurity crisis hitting the healthcare crisis. Senator Wyden is right to be concerned about the absence of true cybersecurity expertise on United Healthcare’s Board. And who knows what we’ll find when we analyze the breach at Ascension. As Bob Zukis argues in his Forbes post below, every Board and every executive needs solid cybersecurity expertise in the room where decisions are made.

  • UnitedHealth leaders ‘should be held responsible’ for installing inexperienced CISO, senator says: Sen. Ron Wyden unloaded on UnitedHealth Group (UHG) in a letter to regulators on Thursday, calling for the company’s leaders to “be held responsible” for negligence connected to the ransomware attack on Change Healthcare.  … In the four-page letter, Wyden (D-OR) compared the incident to the compromise of SolarWinds and said UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023. … “One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job,” Wyden said, referencing CISO Steven Martin. 
  • ‘It’s putting patients’ lives in danger’: Nurses say ransomware attack is stressing hospital operations: A ransomware attack on a major US hospital network that began three weeks ago is endangering patients’ health as nurses are forced to manually enter prescription information and work without electronic health records, nurses at two hospitals affected by the cyberattack told CNN. … “It’s putting patients’ lives in danger,” said a nurse who works at Ascension Providence Rochester Hospital, a 290-bed facility about 25 miles north of downtown Detroit. “People have too many patients for what is safe. Nurses are taking on five or six patients dealing with all of this paper charting.” … The cyberattack hit Ascension, a St. Louis-based nonprofit that oversees 140 hospitals across 19 states, on May 8, but the healthcare network is still working to bring its systems back online.

In a story we’ve been tracking for some time, it’s good to hear that NIST has a solution to get the National Vulnerability Database brought up to date and assure its ongoing maintenance.

  • NIST Getting Outside Help for National Vulnerability Database: NIST is receiving support to get the NVD and CVE processing back on track within the next few months. … NIST announced on Wednesday that it will be receiving outside help to get the National Vulnerability Database (NVD) back on track within the next few months. 

A warning from Warren Buffett about the potential for huge losses for cyber-insurance companies.

  • Warren Buffett is worried about potential for ‘huge losses’ in booming, but still tiny insurance market: Warren Buffett and Berkshire Hathaway’s top insurance executive Ajit Jain recently warned of the potential for “huge losses” in cybersecurity insurance in annual meeting comments. … Buffett expressed concern about agents rushing to sign up cyber insurance clients without adequate actuarial data and risk analysis, and used Charlie Munger’s “rat poison” phrase to describe the boom. … One of the messages that Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, sent to investors during the company’s recent annual shareholder meeting in Omaha was that cyber insurance, while currently profitable, still has too many unknowns and risks for Berkshire, a huge player in the insurance market, to be fully comfortable underwriting.

This week in cybercrime:

  • Ticketmaster hack may affect more than 500 million customers: Ticketmaster’s parent company says it is investigating a possible data breach after a group of hackers claimed to have stolen the personal information of 560 million Ticketmaster customers. … In a securities filing, Ticketmaster owner Live Nation said it identified “unauthorized activity within a third-party cloud database environment containing Company data” on May 20. … A week later, the hacking group ShinyHunters claimed it had obtained 1.3 terabytes of Ticketmaster user data, including names, addresses, phone numbers, as well as order details and credit card information. The hackers were selling the data on the dark web for $500,000, according to Hack Read.
  • Easterseals of Central Illinois falls victim to a data breach: PEORIA, Ill. (WMBD) — Easterseals of Central Illinois announced on Friday that it has fallen victim to a data breach. … According to a statement released by Easterseals, on April 1 the non-profit experienced a network disruption that impacted its access to certain systems.
  • Nearly 3 million affected by Sav-Rx data breach: Nearly three million people had sensitive information leaked during an October cyberattack on the prescriptions management company Sav-Rx.  … In filings to regulators last week and a notice on its website, the company said names, addresses, eligibility data, insurance identification numbers and Social Security numbers were accessed when hackers breached their network on October 3. … Sav-Rx, which manages prescription drug benefits for hundreds of unions and other organizations, discovered the attack on October 8 when they experienced a network disruption. The company’s IT system was restored within 24 hours and all prescriptions were shipped on time without delay. Law enforcement agencies were notified of the attack. … An investigation completed on April 30 revealed that the hackers accessed non-clinical systems and obtained files related to Sav-Rx’s medication benefits management services platform.
  • After Hack, Christie’s Gives Details of Compromised Client Data: Its disclosure came after RansomHub claimed responsibility for the cyberattack and threatened to release client data on the dark web. … The auction house Christie’s said Thursday that it had alerted the Federal Bureau of Investigation and the British police about the cyberattack that hobbled its website earlier this month, and began telling clients what types of personal data had been compromised. … The company said in an email to clients that neither their financial data nor any information about their recent sales activity had been exposed in the hack. But it said that some personal data from clients’ identification documents had been compromised.

Here’s an excellent review of the award-winning New York Times bestseller about the American women who secretly served as codebreakers during World War II–a “prodigiously researched and engrossing” (New York Times) book that “shines a light on a hidden chapter of American history” (Denver Post).

Section 4: Helping Executives Manage Information Risk.

From our friend, Bob Zukis, founder of the Digital Directors Network. Whether you’re a $100 billion mega-corporation or a $10,000,000 small business, you need cybersecurity expertise sitting at the table.

  • How Corporate Boards Are Setting CEO’s Up For Cybersecurity Failure: On May 1, 2024 the CEO of UnitedHealthGroup (NYSE:UNH) was invited to Washington, D.C. to spend the day getting raked over the coals by U.S. Senator Ron Wyden (D-Oregon) Chairman of the Senate Finance Committee and others at a meeting titled “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”Wyden set the tone early when he described the UNH cyber incident this way, “The Change Healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in American history.” … In his opening remarks he clearly expressed his disdain for the UnitedHealth Group (UHG) boardroom as a contr ol in their cybersecurity system when he said, “Accountability for Change Healthcare’s failure starts at the top. Before this hearing, I asked UHG which members of its board have cybersecurity expertise. UHG pointed to NCAA President Charlie Baker, who signed some technology-related legislation into law years ago when he was governor of Massachusetts. Mr. Baker is certainly an expert on basketball, but UHG needs an actual cybersecurity expert on its board.”

Section 5:  Securing the Technology.

All three of these stories illustrate the challenges smaller IT service providers and MSPs face. Too few people. Too much to do. The combination is unsustainable.

  • Pretty much all the headaches at MSPs stem from cybersecurity: More cybercrime means more problems as understaffed teams stretched to the limit. … Managed Service Partners (MSPs) say cybersecurity dwarfs all other main concerns about staying competitive in today’s market. … Adding to the already notoriously strained existence of an MSP is work that even folk in the infosec industry struggle to keep up with, and leaves those looking after client systems and IT struggling to juggle it all.
  • Exploit released for maximum severity Fortinet RCE bug, patch now: ​Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet’s security information and event management (SIEM) solution, which was patched in February.
  • Hackers target Check Point VPNs to breach enterprise networks: Threat actors are targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks, the company warned in a Monday advisory.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge

SUPPORT US

SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. We are a 501c(3) nonprofit with a vision of a cybersecure global village. We invite you to join with us as together we make the vision a reality. It takes the village.

Be a CyberPartnerDonate