One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

Cequence's latest updates to its Unified API Protection platform help organizations reduce the time needed to create API security testing plans.

API security company Cequence Security has updated its API protection platform with generative AI and no-code security automation to help organizations with security testing and reporting, the company said.

IDC estimates that up to 50% of enterprises’ revenues are enabled over application programming interfaces (APIs), making API security a top priority for CISOs, stated Cequence Security in a blog post about the new capabilities. With generative AI, security teams working with Cequence’s Unified API Protection (UAP) platform can generate API Security Test Plans using plain English, the company said. UAP's Intelligent Mode automatically associates the appropriate APIs with the right test cases, given the functionality of that API.

Cequence gave an example in its blog: Security analysts can say, “Generate a test plan for my Payments API to ensure PCI data compliance,” and the platform will automatically inspect the Payment API endpoints and the payload characteristics to associate the appropriate test cases that would verify that the endpoints are performing as expected.

This functionality reduces the time needed to create a test plan to minutes, rather than months, according to the company.

Security analysts can also use low-code/no-code tools within Cequence to link together multiple third-party connections to implement the equivalent of an API security orchestration and response workflow, the company said. It provided an example of how analysts can create a workflow to log a JIRA ticket when sensitive data exposure is detected from a shadow API, automatically geofence access to the API to internal applications only, and then send an email to the relevant developer or business owner alerting them to the issue.

Other updates to the platform include adding new test cases for the latest OWASP API Top 10 2023 to the test catalog and the ability to run API tests outside of CI/CD pipelines and test directly against staging and production servers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cequence Security Adds Generative AI to API Security

By leveraging misconfigured DLLs instead of EDR-monitored APIs, this new technique injects malicious code into running processes, completely evading endpoint security.

Endpoint detection and response (EDR) systems have become increasingly efficient at detecting typical process injection attempts that invoke a combination of application programming interfaces to insert code into the memory space of a running process.

So researchers at Israeli-based Security Joes set out to find another way to due process injection without relying on EDR-monitored APIs. The result is Mockingjay, a novel method for process injection that leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process.

**The Mockingjay Approach**

The approach reduces the likelihood of an endpoint security mechanism detecting a malicious process injection effort and requires a smaller number of steps to achieve, Security Joes said in a report this week. "Our research aimed to discover alternative methods to dynamically execute code within the memory space of Windows processes, without relying on the monitored Windows APIs," the security firm said.

"Our unique approach, which involves leveraging a vulnerable DLL and copying code to the appropriate section, allowed us to inject code without memory allocation, permission setting, or even starting a thread in the targeted process."

Process injection is a technique for manipulating the memory of a process to either add new functionality or modify its behavior. Attackers commonly use the method to hide malicious code and evade detection on compromised systems. Common process injection methods include self-injection where a process that receives the injected payload also executes it; DLL injection where a malicious DLL is loaded into the memory space of a process; and PE injection where a portable executable file is mapped into the memory of a running process.

"Each of these injection techniques requires a set of specific Windows APIs, which generate characteristic patterns that can be leveraged by defenders and security software for detection and mitigation purposes," Security Joes said in its report. For instance, the APIs required for self-injection are VirtualAlloc, LocalAlloc, GlobalAlloc, and Virtual Protect, the company said. Similarly, the APIs used in PE injection are VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Most EDR systems are tuned to monitor commonly used APIs in process injection attacks and can effectively identify malicious activity associated with their use.

**Abusing Vulnerable DLLs**

The strategy Security Joes used in developing Mockingjay was to systematically search for DLLs within the Windows OS that contained a default RWX section. Researchers at the company developed a tool that explored the entire Windows file system to identify DLLs that could serve as potential vehicles for code injection without triggering an EDR alert. The exploration resulted in Security Joes finding a DLL (msys-2.0.dll) with 16KB of RWX space in Visual Studio 2022 Community that they could use for injecting and executing their own code.

"After identifying the vulnerable DLL that contains a default Read-Write-Execute (RWX) section on disk, we conducted several tests to explore two different methods that could leverage this misconfiguration to execute code in memory," Security Joes said.

One method was to directly load the vulnerable DLL into the memory space of a custom application called nightmare.exe that Security Joes developed. Doing that allowed researchers to inject and execute their own shellcode into the memory space of the application without leveraging any Windows APIs. Among other things, the shellcode also removed all EDR hooks without triggering any alerts. "This complete removal of dependency on Windows APIs not only reduces the likelihood of detection but also enhances the effectiveness of the technique," the company said.

Security Joes' second tactic for abusing the RWX section in the DLL was to do process injection in a remote process. To achieve this, they first identified binaries that used mysys-2.0.dll for their operations. Many of these were associated with GNU utilities and other applications that require POSIX emulation. For the proof-of-concept, researchers chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. "It is important to note that in this injection method, there is no need to explicitly create a thread within the target process, as the process automatically executes the injected code," the company explained.

According to Security Joes, the DLL that its researchers used to developed Mockingjay is just one of potentially many others that can similarly be abused for code injection purposes. Addressing the threat requires endpoint security tools that don't just monitor specific APIs and DLLs but also use behavioral analysis and machine learning techniques to identify process injection.

Mockingjay Slips By EDR Tools With Process Injection Technique

In a move to embarrass the city, hacking group known as SiegedSec accessed thousands of files with administrator logins, but it's making no ransom demands.

In a security breach first discovered on June 23, Fort Worth, a north Texas city that has more than 935,000 residents, announced that hacktivist threat actors gained unauthorized access to its data.

The group claiming responsibility for the cyberattack, SiegedSec, said it was carried out for political reasons. Specifically, what it deemed to be recent anti-transgender legislation in the state of Texas, stating, "Texas happens to be one of the largest states banning gender affirming care, and for that, we have made Texas our target."

The hacking group publicly claimed in a post that it had accessed around a half-million files containing materials such as police reports, employee/contractor emails, internal documents, work orders, employee lists, and a great deal more. SiegedSec allegedly did so by stealing administrator credentials in order to access city data, the stolen amount of which totals around 180GB.

With a list of links, the post went on to say, "We have uploaded this leak in 10 different links, each containing 20GB of government files (except the last one). If any links go down, we assure we'll have it up again very soon\[.\]"

In a press conference on the same day of the hack, city CTO Kevin Gunn confirmed the attack.

"The City of Fort Worth has confirmed that the posted information did originate from our computer systems," he said. "However, that data came from a website that our workers use to manage their maintenance activities and not from the city's public-facing intranet website. It appears the hackers downloaded file attachments to work orders within the system and those attachments include things like photographs, spreadsheets, invoices for work performed, emails between staff, PDF documents and other related materials for work orders."

Though it is unknown how the group managed to steal login information, Gunn claims that there was no indication that sensitive information was released and there was no ransom demand made, but rather that the group's intent was to make a political statement.

Trans-Rights Hacktivists Steal City of Ft. Worth's Data

The attack exposed personal information from pilot applicants, prompting both airlines to ditch their third-party provider and move services internally.

Hackers breached a database maintained by Pilot Credentials, a recruiting company based in Austin, Texas, resulting in the theft of personal information from more than 8,000 pilot applicants for American Airlines and Southwest Airlines.

The compromised data includes names, birth dates, Social Security and passport numbers, as well as driver- and pilot-license numbers of pilot and cadet job applicants.

According to the breach notifications filed by both airlines, 5,745 American Airlines applicants were affected, while the breach exposed information from 3,009 Southwest applicants. 

The airlines became aware of the breach on May 3, after it occurred on April 30. 

American Airlines reported no evidence of fraudulent activity or identity theft but is offering affected applicants two years of identity theft protection.

Both airlines said they have shifted their recruitment processes to internal websites and are cooperating with law enforcement investigations.

"We are no longer utilizing the vendor, and, moving forward, pilot applicants are being directed to an internal portal managed by Southwest," Southwest Airlines said.

Erfan Shadabi, cybersecurity expert with comforte AG, says this type of data is a goldmine for cybercriminals, who can exploit it for various malicious purposes, including identity theft, financial fraud, and targeted phishing attacks.

"The recent data breach involving American Airlines and Southwest Airlines highlights the profound damage that such incidents can inflict on organizations," Shadabi says. 

Erich Kron, security awareness advocate at KnowBe4, agrees that this kind of breach illustrates the dangers of relying on third parties to manage sensitive information.

"Unfortunately, supply chains have been increasingly targeted, causing users of their services a considerable amount of grief," he adds. "In many cases it is more economically feasible to enlist vendors to handle services such as managing resumes, job requests, and many other functions." 

The problem there, Kron explains, is that when things go wrong, it often reflects more poorly on the customer organization than on the service provider. 

**Airlines Must Improve Third-Party Security**

Nick Tausek, lead security automation architect at Swimlane, says to significantly reduce the risk of data breaches, airlines must collaborate closely with third-party vendors to prioritize the implementation of robust security measures.

This includes practices such as multifactor authentication and regular password updates, and evaluating whether their current security strategy is leaving room for delays in threat detection and incident response.

"The reality is that manual security processes are often time consuming and prone to errors, leaving organizations vulnerable to attacks," he says. "Security automation tools, especially those of the low-code variety, can accelerate security teams' capabilities to keep pace with the evolving threat landscape."

Sally Vincent, senior threat research engineer at LogRhythm, says in addition to the challenges of managing and detecting threats within an enterprise's IT infrastructure, assessing third-party risk is also a critical aspect.

"For airlines, it is essential to have strong communication and notification tools, as well as a deep understanding of how to effectively configure their complex IT environment," she says.

This allows them to gain a comprehensive view of anomalous and malicious activities across all fronts, enabling a prompt and thorough response.

"By implementing a well configured security monitoring solution that provides complete visibility, including for third-party vendors, it would have been more likely to detect indicators of compromise and mitigate the threat in a timely manner," Vincent notes. 

Kron adds when an organization is going to use a third-party service to process or gather information, especially anything of a sensitive nature, special care needs to be taken with respect to security and should be part of the contract with the vendor.

From his perspective, how the data is handled, who has access, how it's secured, and how long it's retained are some of the key concerns that should be handled within the contracts.

"The security of any third parties who are handling your sensitive information should be vetted to ensure that their security standards meet or exceed those of the organization that is hiring them," he says. 

**Airlines, Travel Industry Under Continued Attack**

Last year American Airlines was victim to a successful phishing attack against employees that compromised email accounts containing a raft of customer data. 

In the wake of these attacks and continued targeting of the travel sector by cybercriminals, the Transportation Security Administration (TSA) announced a new set of cybersecurity requirements for airport and aircraft operators.

This obligation follows previous TSA requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA). 

Ransomware attacks have impacted airlines worldwide, including low-cost carrier Indian SpiceJet, where an attack caused flight delays and rendered unavailable online booking systems and customer service portals.

Pilot Applicant Information for American, Southwest Hacked

Organizations are largely deluded about their own security postures, according to an analysis, with the average SIEM failing to detect a whopping 76% of attacker TTPs.

Despite enterprises' best efforts to shore up their security information and event management (SIEM) postures, most platform implementations have massive gaps in coverage, including missing more than three-quarters of the common techniques that threat actors use to use to deploy ransomware, steal sensitive data, and execute other cyberattacks.

Researchers from CardinalOps analyzed data from production SIEM platforms from companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that they have detections for just 24% of all MITRE ATT&CK techniques. That means that adversaries can execute about 150 different techniques that can bypass SIEM detection, while only about 50 techniques are spotted, the researchers said.

This is despite the fact that current SIEM systems actually do take in sufficient data to cover potentially 94% of all these techniques, CardinalOps revealed as part of the company's "Third Annual Report on the State of SIEM Detection Risk," released today.

Moreover, organizations are largely deluded about their own security postures and "are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice," the researchers wrote in the report. This creates "a false impression of their detection posture."

MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations that's aimed at helping organizations detect and mitigate cyberattacks. The report's data is the result of analysis of more than 4,000 detection rules, nearly 1 million log sources and hundreds of unique log source types used in SIEM across a range of diverse industry verticals — including banking and financial services, insurance, manufacturing, energy, and media and telecommunications.

**A Lack of SIEM Fine-Tuning to Blame for Detection Fails**

The key issue contributing to the current state of SIEM efficacy (or lack thereof) seems to be that even though resources exist for organizations to use knowledge, automation, and other processes to detect adversaries and potential attacks on their environments, they still largely rely on manual and other "error-prone" processes for developing new detections, the researchers noted. This makes it difficult to reduce their backlogs and act quickly to fill gaps in detection.

Indeed, SIEMs themselves "are not magic" and rely on the organizations deploying them to do so correctly and efficiently, notes Mike Parkin, senior technical engineer at Vulcan Cyber, a security-as-a-service provider of enterprise cyber-risk remediation.

"Like most tools, they require fine-tuning to deliver the best results for the environment they’re deployed in," he says. "These report results imply that many organizations have gotten the basics working but haven’t done the fine-tuning necessary to take their detection, response, and risk management strategies to the next level."

In addition to the need to scale detection-engineering processes to develop more detections faster, one key issue that seems to be tripping up detection in enterprise SIEM deployments is that on average, they have 12% of rules that are broken, which means they will never file an alert when something is amiss, according to the report.

"This commonly occurs due to ongoing changes in the IT infrastructure, vendor log format changes, and logical or accidental errors in writing a rule," the researchers noted in the report. "Adversaries can exploit gaps created by broken detections to successfully breach organizations."

**Why MITRE ATT&CK Matters**

MITRE ATT&CK, created in 2013, has now "become the standard framework for understanding adversary playbooks and behavior," the researchers noted. And as threat intelligence has advanced, so has the wealth of knowledge the framework provides, currently describing more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and Lapsus$.

"The biggest innovation introduced by MITRE ATT&CK is that it extends the traditional intrusion kill chain model to go beyond static indicators of compromise (like IP addresses, which attackers can change constantly) to catalog all known adversary playbooks and behaviors (TTPs)," the CardinalOps researchers wrote.

Organizations clearly see the value in using MITRE ATT&CK to help them in their security efforts, with 89% currently using the knowledge base to reduce risk for security-operations use cases — such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs, the researchers noted, citing Enterprise Strategy Group (ESG) research.

However, using the framework to support SIEM efforts and using it well appear to be two very different scenarios, the report found.

**Closing the SIEM Gap**

There are steps that organizations can take to help close the gap between what a SIEM is capable of in terms of cyberattack detection, and how they currently are using it, researchers and security experts said.

One key strategy would be to scale SIEM detection-engineering processes to develop more detections faster using automation, something that companies already use widely to great effect in "multiple areas of the SOC, such as anomaly detection and incident response," but not so much in detection, they noted in the report.

"The detection-engineering function remains stubbornly manual and typically dependent on 'ninjas' with specialized expertise," the researchers wrote.

Indeed, having a focus on automation is critical to achieving goals with limited human and financial resources, agrees one security expert.

"This includes expanding automated detection to include Internet of things (IoT) and operational technology (OT) attack vectors, as well as having plans already in place for automated threat remediation," says John Gallagher, vice president of Viakoo Labs at Viakoo.

One key challenge that organizations continue to face is that the current attack surface — which now includes large numbers of vulnerable network-connected devices as well as the typical enterprise network — has grown well past what the IT organization is currently capable of supporting or managing, Gallagher says.

"To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure," he says.

Indeed, Parkin observes, until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems.

"We have the tools to make it happen," he says. "But it can be a challenge to get them deployed and configured for best effect."

Most Enterprise SIEMs Blind to MITRE ATT&CK Tactics

The new FDA software bill of materials (SBOM) guidelines for medical devices could have broad impact on the healthcare industry and the broader open source ecosystem.

The US Food and Drug Administration (FDA) is not exactly top of mind for the average open source software (OSS) project maintainer nor the developers building applications that leverage OSS. But new rules from the FDA could impact OSS security more than any government rule to date. The big change? The FDA is mandating that all medical devices running software must create and maintain a software bill of materials (SBOM) and will start enforcing that rule on Oct. 1, 2023.

The new policy addresses growing concerns that critical software-powered components of healthcare devices are not properly secured. Medical institutions are frequent targets of ransomware attacks and, in the future, medical devices could be in the crosshairs of hackers. In addition, medical devices often run on outdated or end-of-life (EOL) operating systems. A significant percentage of these systems use Linux or other open source software.

Often, manufacturers have no easy way to update firmware or device software. Further, medical device companies — and the medical professionals who install and use the devices — may not be well versed in cybersecurity and might not build in proper mechanisms for ongoing security measures. Of course, we've had warnings on this topic for years. What's different about this new rule? And how will it impact the broader OSS ecosystem? The real difference is in the details of the SBOM requirement.

**The Cascading Impact of Mandated SBOMs**

To date, SBOMs have been akin to nuclear fusion — promising, but always a few years away from being a meaningful reality. A host of supply chain attacks, such as the SolarWinds hack, kicked off a more aggressive US government policy towards cybersecurity, including an executive order mandating that software used by the US government include an SBOM. Since then, a host of startups have emerged to facilitate supply chain security and SBOM management. The largest version-control service providers, GitHub and GitLab, now offer automated SBOM generation. Adoption and acceptance of SBOMs are on the rise according to multiple surveys. For example, the Linux Foundation found that 78% of organizations planned to produce or consume SBOMs by the end of 2022.

What the FDA brings to the party is real "teeth." Mere consumption or production of SBOMs doesn't necessarily result in more robust security; it's easy to generate a superficial and somewhat useless SBOM. In contrast, the FDA mandates that medical device manufacturers submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits" and to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes patching "on a reasonably justified regular cycle" and as-soon-as-possible patches for serious vulnerabilities found outside of the normal patch cycle.

If a medical device maker fails to hit this mark, then the FDA will refuse to accept (RTA) a proposed device. This designation means a maker cannot put the device on the market. For devices already in the market, the rules are murkier. That said, those device makers are scrambling to meet the new SBOM standards.

**One Catalyst for a Broader Shift to Trusted, Transparent OSS**

For the broader OSS ecosystem, this new FDA rule offers a glimpse of a future where SBOMs are finally more than a nice-to-have or checkbox activity. OSS is already widely used in medical devices. Linux is one of the more popular choices for medical device systems, growing even more popular as OSS gathers reputation and acceptance. If you are building on Linux, the design likely incorporates other open source components such as middleware, message queues, front-end frameworks for user experience components, and more.

For medical device companies and service providers building software for the industry, the mandate exerts pressure to bias toward OSS components (and supporting projects) that demonstrate strong security behaviors. This includes developing robust SBOMs that are kept up to date and can be programmatically consumed to aggregate into compound SBOMs for a specific medical device and its software stack. By extension, this means we will likely see a winnowing effect as OSS subcomponents that don't abide by the SBOM mandate subsequently fall out of favor with enterprise use cases. This trend will be reinforced by the emergence of trusted package repositories and mandated package provenance.

For open source, this catalyst from the FDA will prove extremely beneficial. It offers a model of enforceable SBOM requirements for critical infrastructure and components. It provides healthy pressure to make applications built on OSS more transparent and accountable. Most importantly, the FDA mandates could save lives one day. For (one terrifying) example, imagine if an advanced persistent threat were to attempt to hack insulin pumps to extract a ransom. Pressures are also building in other geographies, such as the European Union, which is pursuing policies to mandate medical device hardening.

None of this is to say that OSS has not already been more transparent or accountable than proprietary systems. It has. But even within this context, a higher degree of transparency and accountability — making OSS far more consumable and programmatic — is necessary to secure increasingly convoluted software supply chains and webs of dependencies. The upshot? Your pacemaker or insulin pump will be more secure, and so will everything else in a world increasingly powered by open source.

Why the FDA's SBOM Mandate Changes the Game for OSS Security

The $7.5 million in new funds from the Cybersecurity for Rural Water Systems Act of 2023 is not just a drop in the bucket for crucially important rural water systems.

A recent bill that proposes $7.5 million in annual cybersecurity funding for the next five years for US rural water systems may have a bigger impact for covered entities than the dollar amount alone would suggest. It would be a much-needed infusion of cash for a critical infrastructure sector that plays a big role in public safety despite its smaller customer base.

The funding adds to $25 million available annually as technical assistance for rural water systems and small water utilities under a US Department of Agriculture (USDA) initiative called the Circuit Rider Program. But this bill targets a narrowly focused set of small organizations that currently have little to non-existent cybersecurity capabilities.

Mike Hamilton, former CISO of the City of Seattle and current CISO of Critical Insight, says the investment is vitally important given that these systems make attractive targets for attackers. 

"Disruption of water and wastewater \[systems\] can lead to public health emergencies very quickly," he notes "Given that global geopolitics are incentivizing activists and volunteers to perform disruptive acts, water and waste may be in their sights to drive dissatisfaction with the US government's ability to maintain critical services."

**Rural Water Systems: A Critical Cyberattack Target**

There are more serious concerns as well. By targeting critical operating systems at small water facilities, an attacker could "drain tanks, change levels of chemicals, inject bad telemetry information into well and tank monitoring, and potentially impact waste treatment operations," Hamilton says.

It's also important to remember that softer targets take fewer resources to attack, cautions Chris Warner, senior operational technology security consultant at GuidePoint Security. Such targets are often used to divert attention from more significant and larger targets, he notes. 

Shutting off water is just one potential outcome of an attack on a rural or small water system, Warner adds: "What concerns me is \[attackers\] changing the amount of chemicals used to clean and or balance the water quality. This could cause mass sickness and even possible death."

The good news is, so far, there have been few publicly reported attacks on small and rural water systems of major significance, Hamilton and others say**.** However, that doesn't mean small and rural water entities can't become victims of opportunistic attacks — including ransomware. 

"Key factors include how much exposure their critical systems have to enterprise and Internet facing users that are exploited by threat actors," explains Ron Fabela, CTO of critical infrastructure at Xona Systems. So, "while ... there's no tangible data showing a rise in threat actor interest in rural water systems specifically," Fabela says, the overall increase in awareness, legislation, and industry focus — and this latest investment — are key in making sure the situation stays that way. 

**A Narrow but Significant Cyber Investment in Water Safety**

"While $7.5 million may seem like a drop in the bucket from a funding stance, the USDA Rider program is focused on those water entities \[that\] serve a population of 10,000 or less," says Fabela. "Any financial assistance for these very small water utilities goes a long way."

Reps. Don Davis (D-N.C.) and Zachary Nunn (R-Iowa) along with Reps. Angie Craig (D-Minn.) and Abigail Spanberger (D-Va.) introduced the Cybersecurity for Rural Water Systems Act of 2023 earlier this month. The bill seeks to expand the National Rural Water and Wastewater Circuit Rider program by including $7.5 million annually between 2024 and 2028 for cybersecurity technical assistance for small and rural water utilities.

Under the proposed program, cybersecurity experts — or circuit riders — will travel to rural water facilities and assist them in building plans for securing their systems against cyberattacks. The cybersecurity riders will become part of a broader team of circuit riders that have been providing as-needed, hands-on training and other technical assistance to small and rural water systems for decades.

According to the National Rural Water Association, which collaborated with the USDA in setting up the program, circuit riders have provided technical assistance more than 700,000 times to small and rural water systems since 2009. The assistance has included helping small water utilities to respond rapidly to natural and man-made emergencies; to improve water treatment processes; enhance regulatory compliance; and improve financial sustainability.

In a statement announcing the bill, Rep. Davis described the proposal as critical to bolstering cyber defense in agricultural communities and rural water systems that are critical to overall national security. "We must ensure our water systems rural communities and farmers rely on have the necessary protections to successfully guard against cyberattacks," he said.

Expanding the circuit rider program to include cybersecurity should begin to help smaller, rural water systems start their security journey, says GuidePoint's Warner. Many of these entities lack the security personnel, expertise, and funding required to operate systems for securing their water and wastewater equipment, he says.

"From several of the water and wastewater organizations I've helped out in the past, this will greatly assist organizations to create security departments that may not exist or that are treated as 'other duties assigned,'" he says. The funding could also help them build out governance and risk management programs, Warner notes.

**Rural Water Cybersecurity Funds Provide Much Needed Relief**

Hamilton, who was previously also vice-chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council, says it's important to consider the size of the target audience when evaluating how effective or not the proposed new funding will be. The $7.5 million in cybersecurity funding that the bill proposes is targeted at small utilities that are typically not in scope for state and local cybersecurity grant programs. "Because of that tight scoping, this amount may be significant," he notes. 

"Private sector water systems that are in rural areas can use the funds to conduct the assessments that are required by the EPA," as part of new drinking water requirements for states and public water systems, he adds. The fund could aid these entities in finding and closing security gaps in their systems.

Data on the exact number of rural water systems in the US is challenging to come by, partly because of how these systems are classified. According to the Environmental Protection Agency (EPA), 97% of 153,000 public drinking water systems in the US (as of February 2020) serve populations of 10,000 or fewer. Another report, by the American Bar Association following the water crisis in Flint, Mich., pegged the number of community water systems in the US at 60,000, with 93% serving populations fewer than 10,000, and a total of 67% serving fewer than 500 people.

Why Cyber Funding Flows for Rural Water Systems

By investing in a strong future cybersecurity workforce, we can prevent future attacks on US critical infrastructure before they occur.

Our K–12 schools are under cyberattack. From 2016 to 2022, public K–12 schools in the United States fell victim to more than 1,600 cyber incidents, including ransomware, phishing, and denial-of-service (DoS) attacks. Recently, schools in Minnesota, New Hampshire, and North Carolina were shuttered as a result. These attacks have caused considerable disruption to students and educators caught in the crosshairs.

We are nearing the end of National Cybersecurity Education Month, an effort led by Senator Jacky Rosen (D-NV), to increase awareness of cybersecurity education and its role in improving US national security. Now more than ever, we have a responsibility to stop cyber incidents on schools before they begin. This starts with K–12 cybersecurity education.

Many schools lack funding for sophisticated cyber protections and IT talent to protect infrastructure, making them easy targets. The federal government has taken notice. The Cybersecurity & Infrastructure Security Agency (CISA) now provides recommendations on the key steps K–12 schools to effectively reduce cybersecurity risk.

This underscores the importance of preventing cyberattacks on schools from happening in the first place by investing in K–12 cybersecurity education and the next generation of cybersecurity professionals.

The nation continues to face a systemic cyber talent workforce shortage, with more than 750,000 open cybersecurity positions. At the same time, less than half of students nationwide are learning about cybersecurity in the classroom. CISA Director Jen Easterly emphasized that addressing the cybersecurity talent gap begins by engaging students at all levels of education, as well as more women, girls, and minorities in cybersecurity.

There is infrequent and unequal access to K–12 cybersecurity education, as students in small and high-poverty districts are significantly less likely to be exposed to the subject.

Here are three key steps educators and school leaders can take to ensure that all students — regardless of socioeconomic status or ZIP code — have access to cybersecurity education.

**1\. Continue Cybersecurity Education for Teachers**

Teachers are central to empowering students in every subject, but this isn't possible unless we empower teachers with the skills and confidence to teach cybersecurity. Through professional development and readily available resources, educators can learn core cybersecurity concepts and become cyber literate. Armed with the skills and tools to teach cybersecurity, educators can inspire students to succeed in our 21st-century workforce.

**2\. Integrate Cybersecurity Education and Standards Into Existing Curriculum**

Introducing cybersecurity concepts in the classroom can seem daunting, but thanks to existing resources, educators don't need to start from scratch. Educators can use no-cost cybersecurity lessons to integrate cybersecurity into their curriculum, regardless of the subject they teach. Additionally, the national K–12 Cybersecurity Learning Standards provide another road map for educators to ensure students have not only a foundational understanding of cybersecurity, but also the skills and knowledge needed to pursue cybersecurity careers in greater numbers. Designed to be comprehensive, easy to use and easy to find, the standards are available to states, districts, and all educators at no cost.

**3\. Partner on Cybersecurity With Colleges and Universities**

When presenting K–12 students with a potential new career path, it's important to provide examples of what pursuing cybersecurity can lead to. Establishing partnerships and mentorship programs between K–12 schools and higher education institutions that offer cybersecurity degree programs help students envision pursuing cybersecurity in college and as a career.

Building a pipeline of future cyber professionals starts with ensuring that all K–12 students have equitable access to cybersecurity education and the skills to pursue careers in the field. Dedicated educators and school leaders are essential to making this a reality. By investing in a strong future cybersecurity workforce, we can prevent future cyberattacks on US critical infrastructure, like our K–12 schools, before they occur.

Preventing Cyberattacks on Schools Starts With K–12 Cybersecurity Education

**MARLTON****, N.J.** **,** **June 23, 2023** **/PRNewswire/ --** Between 2.5 to 2.7 million consumers are being notified that their Social Security numbers and other confidential information were compromised when hackers were able to exploit a vulnerability in software used by a vendor of Genworth Financial, Inc.

The data breach lawyers at Console & Associates, P.C. are investigating claims on behalf of Genworth Financial policyholders and anyone else affected by the breach, hoping to fully inform them of the risks they face in the wake of the breach as well as their legal rights.

The sensitive personal data of at least 2.5 million Genworth Financial policyholders has been compromised. Now, their full names, Social Security numbers and other personal information may be in the hands of criminals who can use the stolen data to carry out various schemes, such as identity theft and other frauds.

On June 22, 2023, Genworth Financial filed a Form 8-K with the Securities and Exchange Commission describing a third-party data breach affecting consumers nationwide. Genworth notes that the incident stemmed from a third-party vendor's use of the managed file transfer software, MOVEit.

Evidently, Genworth Financial was notified by its vendor, PBI Research Services, that a vulnerability in the MOVEit file-transfer software, created by Progress Software, allowed hackers to download confidential policyholder data.

According to the notice, the data breach affected an estimated 2.5 million policyholders and other customers.

The list of sensitive information that was exposed includes names, Social Security numbers, and other personal information.

If you receive a data breach notice from Genworth Financial, you could now be at risk of identity theft—and the life-changing financial and legal consequences that follow in its wake.

Genworth Financial may offer those who were affected by the breach with complimentary credit monitoring and identity restoration services. And while victims should enroll in this service immediately, it is not sufficient to protect them from the risks of a data breach.

**What to Do if You Receive a Genworth Financial Data Breach Letter**

Individuals who receive a data breach letter from Genworth Financial should take all necessary steps to protect themselves. (See our Guide for Victims of Data Breach for more details at https://www.myinjuryattorney.com/consumer-privacy-data-breach-lawyers/if-your-information-has-been-compromised-in-a-data-breach/.) Additionally, data breach victims should consider speaking with a data breach attorney as soon as possible. Those consumers who receive a data breach letter from Genworth Financial may be entitled to financial compensation.

If you wish to discuss this data security incident, or if you have any questions regarding your rights following the Genworth Financial data breach, please contact Console & Associates, P.C. at (866) 778-5500. Interested parties and potential plaintiffs can also learn more about this data breach and potential lawsuit at https://www.myinjuryattorney.com/genworth-financial-data-breach-investigation/.

Anyone who has received a Notice of Data Breach letter may contact the firm to learn more about their rights.

Source

DARKReading