Friday Five 3/18
How HIPAA can help mitigate cyberattacks, killing the password, and more - catch up on the infosec news of the week with the Friday Five!
1. CISA, FBI tell satellite communications network owners to watch out for hacks after Ukraine attack by Tim Starks
As part of the Cybersecurity and Infrastructure Security Agency's (CISA) Shields Up initiative, in which the U.S. government's cybersecurity arm is recommending all organizations adopt a heightened posture when it comes to cybersecurity issues, it hasn't been a surprise to see new recommendations for organizations roll out every few days. This week brought one for companies that oversee satellite communication networks. In a warning on Thursday, CISA pushed providers to shore up their systems and "lower their threshold for reporting and sharing indications of malicious cyber activity." CISA acknowledged that a SATCOM intrusion could introduce risk into a providers' environment and in turn, their customers. The warning comes a few weeks news that one of Ukraine's satellite services, KA-SAT, was sabotaged in the early days of the ongoing Russian invasion of Ukraine.
2. A Big Bet to Kill the Password for Good by Lily Hay Newman
As far as catch phrases go, it seems like we've heard about "killing the password" almost as much as "cyber Pearl Harbor" over the past few years but here's an interesting take via the FIDO Alliance, an industry group that works on solving secure authentication problems, via WIRED. It's based on a new conceptual research paper that eyes a paradigm shift away from passwords in favor of passkeys. It's a little broad and won't happen overnight - as FIDO notes, it's meant as a "general-purpose solution and may not always fit the most extreme security requirements." The idea mostly rely on harnessing the power of Bluetooth and something you can use for physical authentication, like a dongle or laptop. There's no timeline in mind but there's some hope for those looking to ditch passwords here.
3. New details emerge on prolific Conti-linked cybercrime group by AJ Vicens
Cyberscoop breaks down a new report from Google's Threat Analysis Group on a threat actor its dubbing Exotic Lily that appears to have a connection to the ransomware group Conti, seemingly in the role of an initial access broker. In this role, the group seeks out vulnerable organizations to phish - sometimes carrying out as many as 5,000 emails a day - and then sells that access to the highest bidder. “We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation," the TAG researchers wrote.
4. HHS: HIPAA can ‘substantially mitigate’ most common healthcare cyberattacks by Jessica Davis
The Department of Health and Human Services Office for Civil Rights is reminding healthcare organizations that adhering to the basic security principles outlined in the Health Insurance Portability and Accountability Act Security Rule can go a long way towards preventing its next data breach. As Jessica Davis in SC Magazine notes, HHS OC pushed organizations this week to get back into following cybersecurity basics, like rolling out ways to prevent phishing, vulnerabilities, and weak authentication from becoming exploited by hackers. Implementing a security awareness and training program, technology to help detect and block email threats, and using a privileged access management system can help mitigate many of these. "Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements. Unfortunately, many regulated entities continue to underappreciate the risks and vulnerabilities of their actions or inaction," HHS OCR said.
5. Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR by Natasha Lomas
Techcrunch recaps the latest mega fine from Europe's leading data protection authority, the Irish Data Protection Commission's (DPC) decision to hand down a €17 million (~$18.6 million) fine to Meta, Facebook's parent company. The fine has been a long time coming; it's based on several data breaches disclosed to the DPC from June to December 2018, shortly after the European Union’s General Data Protection Regulation (GDPR) came into effect. Specifically, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. ”The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” While $17 million may sound like a lot for some people, it's surely just a drop in the bucket for Meta and Facebook, which has an an annual revenue of north of $100 billion dollars.