Friday Five 10/8
News on CISA's new system to attract cyber talent, an Apache zero day, and Microsoft on the lack of acceptance around MFA - catch up on the news of the week with the Friday Five!
1. Microsoft: 58% of Nation-State Cyberattacks Come From Russia by Kelly Sheridan
Some interesting transparency from Microsoft on the challenges of working from home, namely how sparse use of strong authentication like multifactor authentication (MFA) is. According to Microsoft, only 20 percent of users and 30 percent of global admins use MFA. That's despite Azure Active Directory seeing 50 million password attacks daily. The numbers - and there's more where that came from - come from Microsoft's Digital Defense Report. There's statistics on nation-state threats - as the headline of the DarkReading piece suggests, cybercriminal activity, hybrid workforce security, disinformation and Internet of Things (IoT), operational technology (OT), and supply chain security, as well. If you're interested in digging in further, the report is here.
2. Justice Department unveils cryptocurrency enforcement team to trace, recover ransomware payments by Hannah Mitchell
A quick and to the point - five points actually - primer on the National Cryptocurrency Enforcement Team, formed this week by the Justice Department. According to the DOJ, the team will be in charge of improving the US government's ability to "dismantle the financial entities that enable criminal actors to flourish" - much like the recently sanctioned cryptocurrency exchange SUEX. If it wasn’t already in the works, you have to imagine this group came together pretty quickly following this summer's big Colonial Pipeline ransomware attack. The Justice Department said in June it was able to trace 3.7 of the 75 Bitcoins — some $2.3 million of the $4.3 million — that Colonial paid as a ransom. Probably safe to assume many of those tasked with recouping those funds are now part of this enforcement team.
3. Apache HTTP Server Project patches exploited zero-day vulnerability by Charlie Osborne
An important heads up from ZDNet in case you missed it about a serious zero-day vulnerability in Apache HTTP Server that's being exploited in the wild. The Apache Software Foundation fixed the issue but unfortunately that created a separate, critical issue: a path traversal vulnerability. Because of that, Apache had to release another version of the server, 2.4.51, that fixes both bugs – the one in 2.4.49 and the one in 2.4.50. CISA encouraged anyone overseeing Apache HTTP Server to patch immediately yesterday. "Active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation. Please patch immediately if you haven’t already—this cannot wait until after the weekend," CISA tweeted.
4. CISA chief looks to new system to attract cyber talent by Chris Riotta
Encouraging words this week from Jen Easterly, who's impressed in her short stint so far as director of the Cybersecurity and Infrastructure Security Agency (CISA). Easterly, who was nominated and unanimously confirmed to lead the agency after the post was empty for eight months back in July, has kept busy; her speech in August announcing the Joint Cyber Defense Collaborative was well received and there’s been no shortage of CISA events this week. At one of them, the annual Billington Cybersecurity Summit, Easterly shared that a new talent management system could help prime the federal cyber workforce pump. We're bringing in folks who normally may not come to CISA and creating entry-level pathways," Easterly explained. "Cyber Talent Management System (CTMS) allows us to hire people based on aptitude, and we can pay people close to the market so it's more competitive."
5. Massachusetts has a chance to clean up our national privacy disaster by Woodrow Hartzog
Not an article per se but a good op-ed via Northeastern University Professor of Law and Computer Science Woodrow Hartzog about a bill working its way through Massachusetts that could give the state a new foundation when it comes to data privacy: The Massachusetts Information Privacy Act. If you're not familiar with the legislation, Hartzog covers what it would reign in - think surveillance and the sale of consumer data. It would give residents more flexibility when it comes to controlling their data and the state - via a new agency, the new Massachusetts Information Privacy Commission - when it comes to enforcing privacy regulations. It’s of course too early to know where MIPA will go from here but this Boston Globe editorial does a good job getting the bill on people’s radar.