Category: Cyber Security CII sector

Cyber Security CII sector

Cyber attacks on operational technology increasing

Cyber Security CII sector, Industry News
Ransomware: What board members should know and what they should be asking their technical experts
A recent report by FireEye’s Mandiant looked at attacks on operational technology control processes. Once viewed as complex due to access requirements, there are now many more internet-facing endpoints offering a wider attack surface.
Mandiant noted that attackers are not necessarily sophisticated, nor do they know what they are targeting. Graphical user interfaces have been accessed allowing attackers to modify variables without understanding the process being controlled.
The recent attack on Colonial Pipeline disrupted supply lines causing shortages is just one of a number of attacks against critical infrastructure networks.
Last year, in joint work, the NCSC released information for Critical National Infrastructure (CNI) organisations on effective use of the Security design principles and CISA, in the US, issued a summary of best practices for the security of Industrial Control Systems (ICS).
Leave a comment , ,

Ransomware: What board members should know and what they should be asking their technical experts

Agency News, Cyber Security CII sector, Industry News
Ransomware is the subject of this spotlight topic for board members, building on the guidance given in the Cyber Security Toolkit for Boards.
The impact of a ransomware attack on an organisation can be devastating. So what should board members be doing to ensure that their organisation is prepared for such a ransomware attack, and in the best possible place to respond quickly ?
This blog, part of the Cyber Security Toolkit for Boards, explains the basics of ransomware, and suggests relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against these types of attack.
Why should board members concern themselves with ransomware?
Cyber security is a board-level responsibility, and board members should be specifically asking about ransomware as these attacks are becoming both more frequent[1] and more sophisticated.
Ransomware attacks can be massively disruptive to organisations, with victims requiring a significant amount of recovery time to re-enable critical services. These events can also be high profile in nature, with wide public and media interest.
What do board members need to know about ransomware?
Board members don’t need to be able to distinguish their Trickbots and their Ryuks, but knowing the basics of how ransomware works will mean they can have constructive conversations with their technical experts on the subject.
So what do you need to know about ransomware?
- Ransomware is a type of malware that prevents you from accessing your computer (or the data stored on it). Typically, the data is encrypted (so that you can’t use it), but it may also be stolen, or released online.
- Most ransomware we see now is ‘enterprise-wide’. This means it’s not just one user or one machine that is affected but often the whole network. Once they’ve accessed your systems, attackers typically take some time moving around, working out where critical data is saved and how backups are made and stored. Armed with this knowledge the attacker can encrypt the entire network at the most critical moment.
- The attacker will then usually make contact with the victim using an untraceable email address (or an anonymous web page), and demand payment to unlock your computer and/or access your data. Payment is invariably demanded in a cryptocurrency such as Bitcoin and may involve negotiation with the humans behind the ransomware (who have spent time in your organisation’s networks assessing how much you might be willing or able to pay).
- However, even if you do pay the ransom, there is no guarantee that you will get access to your computer, or your files.
- We have also seen cyber criminals threaten to release sensitive data stolen from the network during the attack if the ransom is not paid.
- The government strongly advises against paying ransoms to criminals, including when targeted by ransomware. There are practical reasons for this (see question 4) and also concern that paying ransoms likely encourages cyber criminals to continue such attacks.
Full details at https://www.ncsc.gov.uk/blog-post/what-board-members-should-know-about-ransomware
Leave a comment , , ,

Cybersecurity for U.S. critical infrastructure a ‘national-security imperative'

Cyber Security CII sector, Industry News
Protecting U.S. critical infrastructure from the often-debilitating impacts of cyberattacks is a “national imperative” that will require cooperation between the government and private sector, according to Brian Scott, director of critical-infrastructure cybersecurity for the National Security Council (NSC).
Scott said variety of sources—nation-states, state-sponsored actors and cybercriminals—are responsible for the cyberattacks, and many of the impacts have been significant, as recent events have reinforced. Indeed, more than 18,000 entities were deemed vulnerable during the SolarWinds attacks first announced in December, and a ransomware attack on Colonial Pipeline resulted in the shutdown of more than 11,000 gas stations in the southeast U.S., he said.
“Public and private entities are increasingly under constant, sophisticated, malicious and often-unseen probing and attacks from nation-state adversaries and criminals,” Scott said last week during the “Cyber Defenders” online event hosted by Nextgov. “Today more than ever, cybersecurity is a national-security imperative.
“Adversaries and malicious cyber actors see U.S. government and U.S. commercial networks as particularly rich targets and are aggressively working to compromise them.”
Beyond the SolarWinds and Colonial Pipeline incidents, Scott cited compromises to Microsoft Exchange Servers and Pulse Secure VPNs as examples of the challenges facing public and private U.S. entities in an increasingly treacherous cyber environment.
Meanwhile, ransomware attacks last year generated average demands of more than $100,00, with the top ransom demands exceeding $10 million, Scott. And a 2019 study estimated that data breaches cost the company experiencing one an average of $13 million, as well as significant intellectual-property losses.
Full story: https://urgentcomm.com/2021/06/01/cybersecurity-for-u-s-critical-infrastructure-a-national-security-imperative-nsc-official-says/
Leave a comment , ,

FS-ISAC Report Finds Cybercriminals and Nation-State Actors Converging, Increasing Cross-Border and Supply Chain Attacks

Cyber Security CII sector, Industry News
FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced today the findings of its latest report, which found that wittingly or otherwise, nation-states and cyber criminals are leveraging each other’s tools and tactics, leading to an increase in cross-border attacks targeting financial services suppliers.
The pandemic has accelerated digitization, connectivity, and the sector’s interdependence, as demonstrated by recent supply chain incidents. Increasingly, the financial sector needs a trusted conduit of real-time cyber information between institutions and third-parties.
"FS-ISAC was the logical host for us to brief the financial services sector to reach a critical mass of institutions around the world all at once," said Jonathan Yaron, CEO of Accellion. "This way, we could ensure that the industry received critical and correct information via a trusted source, enabling it to act quickly to mitigate the impact of the incident."
“Organizations properly practicing defense-in-depth with multi-layered controls are still vulnerable to large-scale and even systemic issues through third party suppliers,” said J.R. Manes, Global Head of Cyber Intelligence at HSBC. “The FS-ISAC community provides its members the visibility into emerging threats that could impact customers and business, even when they are not directly exposed. Ensuring and encouraging the sharing of cyber threat intelligence is a vital part of the defense of not only the financial sector, but the whole business ecosystem that runs on top of the Internet.”
FS-ISAC’s report outlines today’s top threats:
- Convergence of nation-states and cyber criminals: Nation-state actors are leveraging the skills and tools of cyber criminals, either knowingly or not, to enhance their own capabilities.
- Third-party risk on an upward trend: Suppliers to financial firms will continue to be lucrative targets for threat actors, as shown by three highly visible incidents in the last two quarters.
- Cross-border attacks will increase: Cyber criminals test their attack in one country before hitting multiple continents and sub-verticals, as shown by a DDoS extortion campaign targeting ~100 financial institutions in months.
“Trying to outpace evolving cyber threats diverts resources from a financial firm’s core business,” said Steve Silberstein, FS-ISAC CEO. “As the global fincyber utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise, and capabilities to manage cyber risks and incident response.”
Report Methodology
The Navigating Cyber 2021 report is derived from FS-ISAC’s rigorous threat intelligence monitoring maintained by its intelligence operations team. The intelligence is sourced from FS-ISAC's thousands of member financial firms in more than 70 countries and further augmented by analysis by the Global Intelligence Office. Multiple streams of intelligence were leveraged for the curation of the round-up, which examined data across a one year period from January 2020 to January 2021.
Leave a comment , , ,

Large UK organisations offered ten steps to stay ahead of cyber threat

Agency News, Cyber Security CII sector, Industry News

Refreshed 10 Steps to Cyber Security guidance released for cyber security professionals in large and medium sized organisations.

Cyber security professionals at large and medium sized organisations have today been given access to a suite of refreshed guidance to help them stay ahead of current and emerging cyber threats.

The guidance, 10 Steps to Cyber Security, is a collection of advice from the National Cyber Security Centre – a part of GCHQ – that supports CISOs and security professionals keep their company safe by breaking down the task of protecting an organisation into ten components.

It is being unveiled during CYBERUK, a virtual gathering of thought leaders from the cyber security community and hosted by the NCSC.

The 10 Steps to Cyber Security, which were first published in 2012 and are now used by a majority of the FTSE350, have been updated to capture challenges posed by the growth of cloud services, the shift to large-scale home working, and the rise and changing nature of ransomware attacks.

Sarah Lyons, NCSC Deputy Director for Economy and Society, said:

“The cyber threat landscape is constantly evolving and that’s why it’s really important that all businesses understand their cyber risk.

“Our 10 Steps to Cyber Security has been – and continues to be - a fundamental guide for network defenders and this update demonstrates our commitment to securing the UK economy.

“Following our advice will reduce the likelihood of incidents occurring but also minimise impact when they do get through.”

The renewed ten components, all of which consider that home and mobile working is now the default for most large and medium sized organisations, cover:

- Risk management
- Engagement and training
- Asset management
- Architecture and configuration
- Identity and access management
- Vulnerability management
- Data security
- Logging and monitoring
- Incident management
- Supply chain security

The refreshed guidance, which can also be used by charities and public sector organisations, can be used in tandem with the NCSC’s Cyber Security Board Toolkit, which helps frame discussions between technical experts and the Board to ensure that online resilience is a high priority.

Leave a comment ,

ITU and UNDP join forces to address urgent unmet capacity building needs

Cyber Security CII sector, Industry News

The rise of digital technologies and ways of working offers extraordinary new opportunities to further global sustainable development and achieving the Sustainable Development Goals, from increasing economic resilience to mitigating the damage of COVID-19 and delivering more effective public services. Yet not everyone is equally able to take advantage of these opportunities, particularly as the rapid pace of digital change places further demands on resource-constrained governments and societies.

Bridging the world's digital divide is increasingly urgent, as those who left out of today's digital transformation are in danger of falling further behind. This means ensuring that digital services are available everywhere, as well as affordable and accessible to all.

To address this key issue, the International Telecommunication Union (ITU) and the United Nations Development Programme (UNDP) have launched a Joint Facility for Digital Capacity Development to support those not currently served by existing digital capacity development resources or channels.

Supporting UN Efforts in Digital Capacity Development

The Joint Facility stands in support of the UN Secretary-General's Roadmap for Digital Cooperation, which calls for "a broad multi-stakeholder network to promote holistic, inclusive approaches to digital capacity-building for sustainable development, including a new joint facility for digital capacity development, which will be led by ITU and UNDP."

People and communities currently underserved in terms of digital capacity will benefit from more efficient and effective support from the ITU/UNDP Joint Facility, which aims to make digital opportunities accessible to all.

​"Robust and effective digital capacity building underlines the fulfilment of the Secretary-General's Roadmap for Digital Cooperation, by supporting countries in their efforts to harness the full potential of digital technology as part of their digital futures", said Assistant Secretary-General Maria Francesca Spatolisano, Officer-in-Charge at the UN Office of the Envoy on Technology.

"The Joint Facility will further strengthen our collective effort to equip people with the needed digital skills, literacy and capabilities, alongside with the multi-stakeholder network for digital capacity development envisioned in the roadmap."

The Joint Facility aims to:
- direct stakeholders to relevant existing ITU/UNDP resources, including digital literacy and skills training;
- identify areas of unmet demand for digital capacity development initiatives and work with end users to develop new interventions when needed;
- identify patterns and trends in unmet stakeholder needs; and
- direct strategic, operational, and programmatic support in executing digital strategies, capacity development initiatives, or other high-priority operational areas for partners.

Digital capacity must be strengthened on both the local and international levels to enable inclusive digital and societal transformation.

While governments are the main target audience, other groups requiring digital capacity support will also benefit from the services offered by the Joint Facility.

Bringing UN Agencies Together for Meaningful Change

The Joint Facility cements the partnership between ITU and UNDP to drive digital capacity development, and intends to have a new single structure facilitating joint resourcing, roles, and responsibilities.

Through its Development Sector, ITU provides direct assistance and capacity development initiatives to bridge the digital divide, promote digital inclusion and facilitate digital transformation for all.

"Making adequate capacity development tools available to all is more important than ever to bridge the digital divide and connect half of the world's population that are still offline," said Doreen Bogdan-Martin, Director of ITU's Telecommunication Development Bureau.

"There are many aspects to developing digital skills apart from the actual training. Through the Joint Facility, we will be able to assist countries across the digital skills development value chain from assessing digital capacity needs, advising on digital strategies, and even helping with procurement and raising funds for digital development. We are incredibly excited to work together with the UNDP towards this."

UNDP's wide field presence and topic expertise will help match key local context to relevant digital solutions.

"The lack of sufficient digital skills is a major barrier to reaping the benefits of digitalization and threatens to leave the most marginalized behind," said Robert Opp, UNDP's Chief Digital Officer. "The UNDP is proactively investing in the key area of digital capacity building so that we can all take advantage of digital opportunities together."

While building on existing collaboration between the two agencies, the Joint Facility also paves the way for wider, longer-term collaboration between the UNDP and ITU.​

More information about the Joint Facility can be found at digital-capacity.org.

[source:ITU]
Leave a comment , , ,

British tech startups offered help to keep innovations secure

Agency News, Cyber Security CII sector, Industry News

New guidance from the NCSC and the Centre for the Protection of National Infrastructure (CPNI) to help fledgling technical companies consider key questions around security.

UK startups working on world-leading emerging technology are being offered new guidance to help secure their innovations from a range of security risks.

The guidance from the National Cyber Security Centre (NCSC) – a part of GCHQ – and the Centre for the Protection of National Infrastructure (CPNI) helps fledgling companies working in emerging technologies consider key questions around security.

Launched during the NCSC’s flagship CYBERUK event, the guidance encourages companies to take steps to strengthen their defences against criminals, competitors and hostile state actors.

UK companies working in emerging technologies are likely to be a particularly attractive target to a wide range of actors, including those backed by foreign states seeking technological advancement.

The ‘Secure Innovation’ package of guidance was developed in consultation with emerging technology companies and highlights the importance of laying strong security foundations that can evolve as startups grow, in a cost-effective and proportionate manner.

NCSC Technical Director Dr Ian Levy said:

“The UK has one of the world’s best startup ecosystems, which makes companies working in emerging technologies a target for hostile actors.

“That’s why alongside CPNI we have created bespoke guidance which aims to show these companies what good physical and cyber security looks like and how to implement it.

“Putting good security in place now is a sound investment for these companies, helping lower the risks of future disruption and enhancing their attractiveness to investors.”

The Director of CPNI said:

“UK start-ups and scaleups raised record investment in 2020, closing nearly £11billion in venture-capital funding, despite the obvious challenges. A large part of this success story is how open and engaging UK businesses have always been with their international partners. As new markets continue to emerge, so will the potential threats to companies’ intellectual property and ideas at the hands of hostile states, criminals, and competitors.

“Developed in partnership between CPNI and NCSC and aimed at companies in emerging technology, Secure Innovation provides a holistic approach to all aspects of security, ensuring that good cyber principles are not undermined by physical, and people risks which could threaten the success of a start-up if not managed well from the outset.

“Based on CPNI and NCSC’s technical expertise in protective security, this guidance provides the tools to establish simple, low cost and pragmatic security-minded behaviours from the outset, making protecting their innovation and ingenuity as easy as possible.”

The Secure Innovation guidance, aimed at founders or chief executives of emerging technology startups, explains how security can be integrated into an organisation’s culture and advocates for security focused risk management around supply chains, IT networks, information, people and physical security, cloud computing and more.

Leave a comment , ,

U.S. law enforcement warn of regular, regionally disruptive threats that could impact the delivery of patient care

Cyber Security CII sector, Industry News

The Federal Bureau of Investigation has issued an alert regarding “Conti,” a highly disruptive ransomware variant. Attacks associated with Conti and the previously published Darkside ransomware variant are believed to be emanating from criminal networks operating from a non-cooperative foreign jurisdiction.

The FBI says it identified at least 16 Conti ransomware attacks targeting U.S. health care and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities within the last year.

Ransomware attacks associated with these variants have resulted in regionally disruptive impacts to critical infrastructure, including hospitals and health systems in the United States and Ireland. Most recently, hospitals in New Zealand have been hit by disruptive ransomware attacks.

These ransomware attacks have delayed or disrupted the delivery of patient care and pose significant potential risks to patient safety and the communities that rely on hospitals’ availability.

The American Hospital Association (AHA) remains concerned about cyberattacks with the potential to disrupt patient care and jeopardize patient safety. As stated in our testimony before the Senate Homeland Security Committee in December 2020, the AHA believes that a ransomware attack on a hospital or health system crosses the line from an economic crime to a threat-to-life crime.

The AHA acknowledges and commends the U.S. government’s efforts to share timely and actionable cyber-threat intelligence. However, relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat. The vast majority of these attacks originate from outside the United States, often beyond the reach of U.S. law enforcement, where ransomware gangs are provided safe harbor and allowed to operate with impunity, sometimes with the active assistance of adversarial nations.

In response, the AHA has urged the government to embark upon a coordinated campaign that will use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations and seize their illegal proceeds, as was done so effectively during the global fight against terrorism.

Leave a comment , ,

Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

Agency News, Cyber Security CII sector, Industry News

(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs).
Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.

The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed Darkside ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the
entity’s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs). Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.

The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed Darkside ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the
entity’s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Mitigations
CISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks.
- Require multi-factor authentication for remote access to OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and reenforce the appropriate user responses to spearphishing emails.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
- Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.

Leave a comment , , ,

Mitigating the Impacts of Doxing on Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
CISA has produced an insight designed to help mitigate the impact of doxing: Mitigating the Impacts of Doxing on Critical Infrastructure:
WHAT IS DOXING?
Doxing refers to the internet-based practice of gathering an individual’s personally identifiable information (PII)—or an organization’s sensitive information— from open source or compromised material and publishing it online for malicious purposes. Although doxing can be carried out by anyone with the ability to query and combine publicly available information, it is often attributed to state actors, hacktivists, and extremists.
Doxers compile sensitive information from compromises of personal and professional accounts and a wide range of publicly available data sources to craft invasive profiles of targets, which are then published online with the intent to harm, harass, or intimidate victims.
POTENTIAL IMPACT TO CRITICAL INFRASTRUCTURE
Like many other businesses, critical infrastructure organizations maintain digital databases of PII and organizationally sensitive information, making them ripe targets for doxing attacks. Threat actors may target critical infrastructure organizations and personnel with doxing attacks as a result of grievances related to organizational activities or policies. Incidents of doxing that target personnel and facilities often serve to harass, intimidate, or inflict financial damages, and can potentially escalate to physical violence.
Doxing also poses a threat to senior leadership of critical infrastructure organizations, who may be targeted due to their elevated position with the organization or stance on a particular issue. Doxing attacks targeting senior leaders often serve as “reputation attacks” and could lead to activities seeking to embarrass, harass, or undermine confidence in an official.
Leave a comment , , , ,
1 16 17 18 19 20 28