MegaZone is back with you once again. Just back from PTO (Anaheim, what's up with the intense heat and tropical humidity? Jealous of Orlando?) and catching up on the news. Just have time to cherry pick a few things that caught my attention, before diving back into preparation for our next Quarterly Security Notification - coming October 19th. (You have that on the calendar, yes?) So, let's just jump right into it.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Request For Information (RFI) opening a sixty-day comment period on their proposed cyber incident reporting requirements. These comments will help shape the rules CISA is required to publish under the 2023 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). It is a first step in developing the rules, which we'll eventually see in a Notice of Proposed Rulemaking (NPRM). These rules will potentially have a major impact on the information security industry, and this is the time for the industry to have their say to help shape those rules.
This caught my eye just by synchronicity. (And now I have a Police earworm.) Security news is always drinking from the firehose, and stories come and go so quickly, but as I was catching up on the week all at once I started noticing one story after another connected in some way with healthcare. Not too long ago a lot of adversaries deliberately steered clear of medical devices, hospitals, etc. to avoid too much negative perception. I recall at least once when a hospital was hit with ransomware, and when the responsible parties realized it was a hospital they just gave them the key to restore things. Ah, simpler times, long gone. These days everything goes, and if that ends up killing grandpa, well, that's just collateral damage.
A real grabbag of issues came up over the past week. There's vulnerabilities in an ICU monitoring device and medical infusion pumps. Surely those are at all important. Of course, one of the vulnerabilities involves telnet, of all things. Why not rlogin? This is a common problem with medical devices, they often run ancient software and still support protocols the rest of the world has long since abandoned as hopelessly insecure. On the one hand we have medical certification which makes it hard to update things, and on the other we have devices increasingly connected to the network. That's not a good combination.
Then there's report on the severity of the impact of ransomware on healthcare - one thing that caught my eye from that one:
Overall, 89% of the surveyed organizations experienced an average of 43 attacks in the past 12 months, almost one attack per week. More than 20% suffering the four most common types of attacks — cloud compromise, ransomware, supply chain, and business email compromise — experienced increased patient mortality rates.
So, yeah, these issues are literally killing people, lovely. Reinforced by another article on Oakbend Medical Center in Texas recovering from a ransomware attack. And this is rounded out by articles on a HIPAA data breach affected a quarter of a million people and, what feels almost in vain, an article on effectively using zero trust in healthcare. After reading the other articles that feels a bit like closing the barn door after the horses have bolted, but we're all fighting a never-ending battle to improve security. And there will always be a next time.
And another bit of synchronicity. (You're welcome.) The other trend that caught my attention was the number of education institutions appeared in my feed. Education is under attack! No, not the book banning. No, not the anti-science curricula. No, not the sexist dress codes... Let's start over...
It is back-to-school time, and I guess that goes for attackers too. Won't someone think of the children! Sorry, don't know where that came from. Anyway, just more evidence that anything goes. We have the standard mix of issues these days, largely ransomware and cloud vulnerabilities. In this case it seems the LA School District got popped by Vice Society, one of many districts they've decided to target.
Given the issues with school budgets I wouldn't think they could expect large payouts for the ransomware. But they're also stealing personal information on staff, faculty, and students, so perhaps they're also selling that info.
Finally, I tend to be somewhat US-focused, since that's where I live and where F5 is based, but infosec is definitely global. So I took note this week of the number of articles covering events around the globe. This week, unsurprisingly, there was a lot of attention on a few of the usual suspects - mostly Iran and North Korea, with an honorable mention for China. I can't say there is really anything new for those who watch world events in infosec, they're just up to their usual tricks. Only the targets change. I know it is serious, but it is hard not to get too worked up after years of the same kind of thing.
Portugal makes an appearance as well, but as a victim. NATO documents stolen from Portugal have appeared for sale on the dark web.
That's all for this week. There was plenty of other news, of course, these are just the bits that caught my attention and seemed worth sharing. See you again in a few weeks when my turn comes around in the rotation again. Later!