MDR Sentinel expands TorchLight’s leading managed detection and response (MDR) services with turnkey SIEM and SOAR capabilities from Microsoft; TorchLight also announces it attains elite Microsoft Gold Partner Status

**SPOKANE, WA – May 10, 2022** - TorchLight today announced MDR Sentinel, a scalable, cloud-native turnkey security information and event management (SIEM) and security orchestration, automation, and response (SOAR) service. The new service is powered by enterprise-grade Microsoft Sentinel security tools combined with TorchLight’s nationwide virtual security operations center (vSOC) capabilities.

TorchLight is a Complete Security Solutions Provider (CSSP) that offers turnkey MDR services in addition to its own SIEM/SOAR MDR service that works with all leading cybersecurity products and environments to manage alerts and respond quickly and effectively to all threats.

The turnkey nature of MDR Sentinel is ideal for customers that are significant users of Microsoft software and services. TorchLight has also partnered with Cisco Systems for a turnkey managed SOAR MDR service that combines the full suite of Cisco Secure products along with TorchLight vSOC services.

**MDR Sentinel Details**

MDR Sentinel offers security analytics and threat intelligence across endpoint and cloud network environments. The service features built-in data connectors to collect security data from Microsoft software and services – including Microsoft Azure and Microsoft’s Defender for Endpoints, Cloud Apps and Office365 – as well as leading third-party firewalls and security systems.

MDR Sentinel assesses this data at scale and can detect threats with minimal false positives and investigates those threats with Microsoft’s experienced artificial intelligence (AI). The system responds rapidly to any incidents alerting the live cybersecurity experts in TorchLight’s vSOC who analyze significant events and provide incident management and support.

As a cloud-based SIEM, MDR Sentinel is less expensive and faster to deploy than traditional on-premises SIEMs. The service establishes connections to Microsoft Azure which also increases efficiency gains and significantly reduces management effort. The collaboration with Microsoft allows TorchLight to offer its clients best-fit Microsoft licensing as well as access to Microsoft’s analytics and intelligence.

"The cloud is joining end-user devices as the repository for valuable business data. MDR Sentinel offers an unparalleled ability to protect the entire range of a company’s data assets. This breadth combined with TorchLight’s nationwide SOC services is a comprehensive service and a good value,” said TorchLight CTO Stephen Heath.

“Microsoft is a pioneer in cloud-native SEIM / SOAR capabilities and our goal as a Microsoft Gold Partner is to use this technology and our SOC capabilities to give companies new tools to modernize their security operations,” said Jim Kreutel of TorchLight.

MDR Sentinel is now available. More details are at the TorchLight website.

**About TorchLight**

TorchLight is a full-service, nationwide Complete Security Solution Provider (CSSP) founded and built on the concept of providing a complete Design-Build-Manage (DBM) approach to cybersecurity solutions. We deploy a risk-aligned approach to translate business needs into cybersecurity, and cybersecurity into business strategy, to drive customer trust and investor confidence—combined with 24×7 monitoring and intelligence gathering. Through partnerships with Cisco and Microsoft, the industry leading security technology companies, we provide both turnkey and Bring-Your-Own-Tech cybersecurity solutions, along with a full range of consulting, reselling, and managed security service provider (MSSP) services.

TorchLight Expands Cybersecurity Services With MDR Sentinel in Partnership With Microsoft

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce checkout pages and exfiltrating scraped data to a command-and-control (C2) server spoofed to look like a legitimate credit-card processor.

That's according to a flash alert from the FBI issued this week, which detailed one attack in particular that began in September 2020. Along with scraping credit-card data, the cybercriminals were modifying the business checkout page code to gain backdoor access to the business' system. The FBI provided indicators of compromise and recommended mitigations for similar e-tailers, including patching and ongoing monitoring of e-commerce environments. 

**Businesses Should Take Alert 'Seriously'**  
Cyvatar CISO Dave Cundiff explained in an emailed reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to fend off this sort of attack. 

"Continually verifying and monitoring an organization's fundamental cybersecurity is a requirement these days," Cundiff said. "If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless." 

US businesses should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX,.

"Given the risks of supply-chain attacks in general, it is important that businesses look beyond server-side security tools, such as static code analysis, external scanners, and the limitations of CSP to solutions," Modasiya says. 

Ron Bradley, vice president of Shared Assessments, meanwhile notes that organizations dealing with credit-card data, which he called "one of the crown jewels for fraudsters," should have technical controls like file integrity monitoring (FIM) in place.  

"If you're running a website, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there," Bradley said. "Furthermore, you're going to get pummeled by bad actors because you don't have your house in order."

FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

The founders behind more than 90 cybersecurity firms have set up a $300 million investment fund.

A new venture capital firm, Ballistic Ventures, is making investments in cybersecurity innovation, with an initial fund predicted to reach $300 million, the group said. 

Ballistic has already begun investing in startup cybersecurity companies, including Concentric AI, Nudge Security, Pangea, and Veza. The VC touts its deep bench of founders with a collective 90 cybersecurity firms, 10,000-plus security pros, and more than $100 billion in value to their collective credit. 

“At Ballistic, we have assembled the who’s who in cybersecurity – a deep bench of the best operators, entrepreneurs and investors who have been at the forefront of industry for three decades,” said Ted Schlein, Ballistic Ventures general partner, in a statement announcing the group. “For us, the cybersecurity fight is real and personal – and the need for revolutionary solutions has never been more urgent." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Venture Capital Fund Focuses on Emerging Cybersecurity Tech

Multi-million-pound commitment will empower everyone from recent graduates to career changers to IT professionals in the UK to begin a successful career in cybersecurity.

LONDON, May 17, 2022 – (ISC)² – the world’s largest non-profit association of certified cybersecurity professionals – today announced it will help expand the UK’s cybersecurity workforce by offering free certification and education for 100,000 cybersecurity career pursuers through the new (ISC)2 entry-level cybersecurity certification. The 100K in the UK program represents a multi-year, multi-million-pound investment towards cybersecurity workforce skills development throughout the UK.

There has never been a better or more urgent time to start a cybersecurity career. The UK is one of the largest cybersecurity career markets in Europe, with more than 300,000 active cybersecurity practitioners. However, it is also challenged by a cybersecurity workforce shortage of more than 33,000, with UK government figures stating that at least 17,500 new people need to enter the industry annually just to maintain the status quo.

“The cybersecurity profession needs the next generation to join its ranks now more than ever,” said Clar Rosso, CEO, (ISC)². “Unfortunately, until now, individuals looking for their first cybersecurity job often do not know where to start, what to expect, or how to convince employers to give them a chance. To address this, we have developed the (ISC)2 entry-level cybersecurity certification to be a trusted endorsement of an individual and their foundational knowledge, skills and abilities. Through the 100K in the UK scheme, we are committed to giving 100,000 cybersecurity career pursuers the opportunity to achieve this certification for free, making a powerful contribution that positively impacts the UK’s cybersecurity workforce challenge today, not years from now.”

“Cybersecurity certifications that validate young professionals and career changers looking for their first role are essential to delivering a much-needed expansion of the UK cybersecurity talent pool. We welcome all initiatives to attract more first-time cybersecurity professionals to the profession. The (ISC)2 100K in the UK scheme is a timely industry commitment given the strong need to recruit for entry- and junior-level cybersecurity positions which are outstripping the workforce supply by a significant margin,” said Simon Hepburn, CEO of the UK Cyber Security Council.

**How 100K in the UK Will Work**

The scheme is open to all UK residents who do not hold an (ISC)² cybersecurity certification. Recent graduates, career changers and IT professionals looking to move into cybersecurity are encouraged to apply here.

Once enrolled, participants will gain access to the online self-paced education course for the (ISC)2 entry-level cybersecurity certification. Participants also will receive a voucher to cover the full cost of the (ISC)2 entry-level cybersecurity certification exam, which they can pursue as soon as they feel ready. The exam can only be taken in-person at an authorised Pearson VUE test centre in the UK.

After successfully completing the exam, candidates will become full members of (ISC)² with access to a wide array of professional development resources to help them throughout their careers. The (ISC)2 entry-level cybersecurity certification is the first step on a career-long journey that will help cybersecurity professionals gain experience and work toward advanced qualifications such as the (ISC)2 CISSP and (ISC)2 CCSP.

**What the Exam Covers**

*   The (ISC)² entry-level cybersecurity certification exam evaluates candidates on the following five subject areas:
*   Security Principles
*   Business Continuity (BC), Disaster Recovery (DR) and Incident Response Concepts
*   Access Controls Concepts
*   Network Security
*   Security Operations

The exam outline provides additional details on each domain, and the online self-paced course materials help to guide candidates through the subject areas.

For more information about the (ISC)² 100K in the UK scheme, including registration and enrollment instructions, and important terms and conditions, visit https://cloud.connect.isc2.org/100K-inthe-UK.

**About (ISC)²**

(ISC)² is an international non-profit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 168,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Unveils 100K in the UK Scheme to Expand the UK Cybersecurity Workforce with 100,000 Free Entry-Level Certification Exams and Education Opportunities

RUBRIK FORWARD: SAN DIEGO, Calif., May 17, 2022 -- Rubrik, the Zero Trust Data Security™ Company, today announced Rubrik Security Cloud to secure customers’ data, wherever it lives, across enterprise, cloud, and SaaS.

Ransomware is on the rise and cyberattacks are getting more sophisticated. Despite investments in infrastructure security tools, cybercriminals are still getting through to the data. And when they take the data down, they take down the entire business. It’s time for a new approach. The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data.

Rubrik is a pioneer in data security and the Rubrik Security Cloud delivers three unique capabilities:

● Data Resilience: Safeguards data by providing immutable, logically air-gapped data protection with multi-factor authentication-based access control.

● Data Observability: Continuously monitors risks and investigates threats to data including Ransomware Monitoring and Investigation powered by machine learning to detect data anomalies, encryptions, deletions, and modifications; Sensitive Data Monitoring to find and classify the most sensitive data, and assess exfiltration risk; and Threat Monitoring and Hunting to identify indicators of compromise and find the last known clean copy of data.

● Data Recovery: Quickly contains threats and recovers data, whether it’s a file, application data or a mass recovery for the entire organization. Rubrik’s new Threat Containment capability quarantines malware and restricts user access to infected data to support safer recovery.

As organizations continue to struggle with cyberattacks that compromise data, Rubrik also launched the Data Security Command Center to easily assess whether data is safe and capable of being recovered from a cyberattack. Now, customers can see which data is at risk and get recommendations to make their data more secure.

“Every company in the world is vulnerable as cybercriminals get more savvy every day,” said Bipul Sinha, Rubrik CEO and co-founder. “With Rubrik Security Cloud, we are strengthening customers' defenses so they can secure their business across enterprise, cloud, and SaaS workloads. Our data security platform enables our customers to defend their data, recover quickly, and prevail in this new cyber landscape.”

“INTEGRIS Health is proud to be the largest not-for-profit health care system in Oklahoma, with eighteen hospitals in our network and more than a million patients that rely on us every year for their health care needs. With the expansive network we support, it’s paramount that our data is resilient, and we maintain a strong data security posture to keep our hospital moving. As a CIO, I believe Rubrik is an important service and helps us provide excellent patient care. As a Rubrik customer, we’re thrilled to see the continued innovation with Rubrik Security Cloud and the company’s ongoing focus on keeping customer data safe and making it easy to recover in the face of cyber-attacks, like ransomware,” said Bill Hudson, CIO of INTEGRIS Health.

"NJ TRANSIT delivered more than a quarter of a billion annual passenger trips before the pandemic and is responsible for our riders’ safety, mobility, and livelihoods every day. It’s imperative that nothing interrupts our business, so we’ve prioritized a strong data security strategy in partnership with Rubrik. We’re committed to the ongoing and necessary work that gives our data resilience and helps us reduce our risk as we face ever evolving, and inevitable, cyber threats,” said Rafi Khan, CISO of NJ TRANSIT.

**Research and Development Fuels Additional Capabilities**

As part of Data Observability, Sensitive Data Discovery for Microsoft 365 discovers and classifies sensitive data within Microsoft 365 to better assess risk and help maintain compliance with regulations.

These latest integrations build on the joint collaboration between Rubrik and Microsoft. Last year, Rubrik Cloud Vault built on Microsoft Azure was launched to help customers better defend against cyberattacks using a fully managed, secure and isolated cloud vault service. Since launch, Rubrik has seen strong demand for Rubrik Cloud Vault across key industries including Healthcare and Life Sciences, Manufacturing, State and Local Government, and Financial Services as customers build Zero Trust solutions to defend against and recover from ransomware.

“Businesses need a data resiliency strategy to keep their data secure in the face of escalating cyber threats,” said Jurgen Willis, Vice President Microsoft Azure. “Rubrik's Security Cloud, which builds on integrations with Rubrik Cloud Vault and Microsoft Azure, will help customers accelerate their Zero Trust journey.”

For more information about Rubrik Security Cloud and other R&D innovations, click here.

Rubrik Security Cloud is available now and new enhancements will be available in the months ahead.

**About Rubrik**

Rubrik, the Zero Trust Data Security™ Company delivers data resilience, data observability, and data recovery for organizations. Rubrik keeps your data safe and easy to recover in the face of cyber attacks and operational failures. Now you can recover the data you need, however and whenever you need it to keep your business running.

For more information please visit www.rubrik.com and follow @rubrikInc on Twitter and Rubrik, Inc. on LinkedIn.

Rubrik Launches Rubrik Security Cloud to Secure Data, Wherever it Lives, Across Enterprise, Cloud, and SaaS

A widespread attack is underway to exploit known RCE flaw in Tatsu Builder WordPress plug-in, according to a new report.

A no-code page builder WordPress plug-in, Tatsu Builder, has a known remote code execution (RCE) flaw that's under active attack, researchers report, exposing as many as 50,000 sites to takeover. 

The Wordfence threat intelligence team is raising the alarm over what it calls a "widespread" attack attempting to exploit CVE-2021-25094, publicly disclosed on March 24. The vulnerability impacts both the premium and free versions of Tatsu Builder. 

Because it's not listed on Wordpress.org, the team says it doesn't know exactly how many installations the plug-in has, but they estimate it's anywhere from 20,000 to 50,000 sites. 

The Wordfence report says the Wordpress plug-in attacks first popped up on May 10, and by May 14 threat actors had already launched 5.9 million attacks against 1.4 million sites running Tatsu Builder. 

“When it comes to cybersecurity, most organizations give little thought to their websites," Chris Olson, CEO of the Media Trust, said in a statement in reaction to the attacks. "The Tatsu vulnerability shows us why this is a mistake: websites — which play a key role in marketing and revenue generation — are increasingly targeted by hackers, making them a source of risk to customers and casual visitors." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Widespread Attack on WordPress Sites Targets Tatsu Builder Plug-in

Creating a company culture for security may need to start by tearing down an anti-security culture.

"Culture eats strategy for breakfast" is a frequently used (and just as frequently misattributed) quote about the relative power of formal strategies and the cultures that put them into practice. Whether executives can strategize around their own culture is highly debatable, but here's something I know to be true: Culture chews giant holes in cybersecurity.

The idea of a "security culture" is powerful and popular in both cybersecurity and physical security worlds. Basically, it's the notion of making security-aware behavior so much a part of the organizational culture that the people in the organization become a powerful defensive component. It is, in most cases, the endgame of cybersecurity awareness training and the much-desired ultimate stage of cybersecurity maturity.

That's all good, but my concern is at the other end of the process — the one in which the organization's culture is not only blind to cybersecurity but also actively hostile to much of the good behavior that makes cybersecurity work.

**Friction = Bad  
**Efficiency is an obsession for most executives. Making sure that the maximum results come from the minimum investment is good business sense. Friction takes energy and turns it into something other than desired results. The more friction, the less efficiency, and the more waste. Seems simple, right? But there's a problem.

Many necessary business processes add friction to the system. Collecting (and paying) taxes adds friction. Keeping records adds friction. Human resources, health and safety safeguards, and yes, cybersecurity, all add friction. That's why some businesses develop a culture that considers each and every one of these activities to be something bad — something to be minimized, avoided, or worked around. Which is fine ... to a point.

The key to business success with all of these (and similar) activities is not to eliminate them but to make sure that the friction imposed on business processes is proportional to the business benefit derived from the activity. An unhealthy organizational culture says, basically, that there is no business benefit sufficient to warrant any friction in the most basic business activities – usually defined as marketing and sales. When the essential culture of the organization is along these lines, anything that injects friction will be at best ignored and at worst subverted. And this is the point where cybersecurity awareness training has to start.

**Mind the Gap  
**Cybersecurity awareness training begins with the simple premise that cybersecurity has value. And for that message to get through to users, the organization's culture must accept that the friction cybersecurity adds to business processes is worthwhile — that the cost of cybersecurity will be an investment rather than a boondoggle.

Too often we have created business cultures that prioritize efficiency and productivity not only over all other considerations but also to the exclusion of all other considerations. These are cultures that like to consider themselves ruthless and relentless and are all too often reckless and blinkered. Employees are often encouraged — implicitly by the culture, if not explicitly by management — to go around anything that might add friction to a process. That "thing" can be record-keeping, compliance with regulations, or cybersecurity. In each of these cases, the ultimate cost of evading the friction can be much higher than accepting it as part of doing business. And that's the blunt message that may have to lead cybersecurity awareness training in one of these "damn the consequences" cultures.

In the best of outcomes, cybersecurity awareness training results in a culture that values cybersecurity and prioritizes the actions and attitudes that make security part of everyday business behavior. But that outcome may lie at the end of a long road; the first step is building simple acceptance that cybersecurity has value for the company.

Training to Beat a Bad Cybersecurity Culture

Most local leaders lack cybersecurity resources so they don't know where their weaknesses are and which areas threat actors are most likely to target, with little focus or understanding of risk.

Local governments remain prime targets for ransomware, as hackers lock up government systems and leave municipalities with few resources and long recovery times. Everything from emergency response systems to hospitals, schools, and the elections could be up for grabs as these threat actors wreak as much havoc as possible.

It's a scary time as the landscape grows to include new threats like "killware," which is exactly as dangerous as it sounds. As Homeland Security Secretary Alejandro Mayorkas said recently, "The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us."

Sadly, it's not.

Hackers are consistently breaching local government systems that have weak password policies, lack multifactor authentication, and lack proper data recovery processes and tools. Those most at risk are not properly managing even the most basic security tasks, such as solidifying data backup and recovery processes. Users often share credentials like it's a Netflix account and critical systems are at risk because of it. Most local governments lack proper information security and governance.

Local leaders often lack the resources, budget, and knowledge for cybersecurity. Most don't know where their weaknesses lie and which areas threat actors are most likely to target because there is not a focus on understanding information security risks.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wants them to step up. The National Association of State Chief Information Officers (NASCIO) adds further urgency with its top 10 priorities for 2022, in which risk management and cybersecurity top the list.

Here are a few steps that local and county governments can take to improve their cybersecurity posture and avoid a costly breach.

**Contact a Cybersecurity Professional  
**In many cases, IT teams advising on cybersecurity are punching above their weight. But the risk of a cyberattack can't be ignored. Local governments need to partner with an organization that can not only check compliance with cybersecurity standards but also technically assess their controls.

Even if local governments are subject to cybersecurity policies, policies do not equal security. Compliance audits should check against the 18 Center for Internet Security (CIS) critical security controls and the National Institute of Standards and Technology (NIST) cybersecurity framework and also include a technical control suitability and configuration review.

In other words, the assessment should dig into the technical weeds. It should identify how governments are orchestrating backups, which forms of remote access are in use, whether there is multifactor authentication on all of them, how strong the passwords must be, and email security.

Undoubtedly there is a lot of work involved here and some of it is costly. However, a proactive approach is far cheaper than paying recovery costs (even if ransom isn't paid) and trying to repair the integrity of a government's systems and its reputation. In 2020, ransomware attacks cost US government organizations nearly $19 billion.

**Use Available Funding  
**Many local governments cite a lack of funding as a reason that cybersecurity isn't taken more seriously. While funding circumstances vary greatly across the country, there are some resources available that, although not exclusively for that purpose, can be allocated to cybersecurity.

As part of the American Rescue Plan, the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program delivers $350 billion to state, local, and tribal governments across the country for a variety of uses, including cybersecurity. Hundreds, if not thousands, of local governments aren't spending those relief funds in that way.

According to a report by Deloitte and NASCIO, the majority of states spend only 1% to 2% of their IT budgets on cybersecurity, yet federal agencies and private sector businesses spend 5% to 20%. Attackers are targeting local governments just as disproportionately as they spend on security. One study in 2020 found that local governments are the most common target of cybercriminals, with 45% of ransomware attacks aimed at municipalities.

**Perform a Penetration Test  
**Once you've identified the right cybersecurity partner and some funding to help increase your security posture, you'll want to start with a technical control suitability and configuration assessment, including a penetration test. This is an eye-opener for a lot of local governments that never thought twice about sign-in credentials or the risk posed to systems that are often taken for granted, like emergency response or traffic lights.

Your cybersecurity partner should perform both internal and external pen testing in their assessment. The data points that come out of those studies should serve as priorities for the administration and basically provide the to-do list for the next 24 months to orchestrate and support a cybersecurity strategy.

There is no quick fix for cybersecurity, but there are plenty of reasons to make the investment outside of recovery costs or ransom payments.

Consider that the Washington, DC, police network was breached and hackers posted hundreds of pages of purported internal documents. In Cornelia, Georgia, a fourth ransomware attack in two years disabled the town's software network so it couldn't pay its outstanding bills or bill its own customers for water use. In fact, water treatment plants have been of particular interest to hackers. Public water systems were hacked in California, Florida, and Pennsylvania last year, although thankfully none of the attacks have resulted in poisoned water reaching residents.

Local governments have already been targeted heavily and their threat landscape has only increased since Russia's invasion of Ukraine. The US has been bracing for Russian cyberattacks to hit home as the conflict intensifies. Municipalities, particularly the ones that control utilities, can protect against hackers' disruptions by making the necessary investments in security. With proper protections, you can save yourself from those headaches and avoid the disastrous disruptions and costs of an attack.

Local Government's Guide to Minimizing the Risk of a Cyberattack

The online giant analyzes, patches, and maintains its own versions of open source software, and now the company plans to give others access to its libraries and components as a subscription.

Developers who want to benefit from Google's security efforts will soon be able to subscribe to a service that allows developers to use open source components that they know have been vetted and patched for security issues by Google's developers.  

The service, dubbed Assured Open Source Software (OSS), provides versions of popular open source packages that are scanned frequently, augmented by metadata created by code analysis, comply with the nascent Supply chain Levels for Software Artifacts (SLSA) framework, and are signed by Google. 

In many ways, the service is similar to the curated Linux distributions maintained by companies such as Red Hat and Ubuntu, says Eric Brewer, vice president of infrastructure for Google Cloud and a Google Fellow.

"The idea of having curated version is not new per se, but it is just more important than ever," he says. "Plus, we wanted to show that it is important to actually do the provenance, do the metadata, do the scanning, do the fuzzing, build it from source — and sign it. That's the right way to do it."

The announcement of the new service comes a week after the Linux Foundation and the Open Software Security Foundation, along with the support of nearly 40 companies, released a plan for securing open source software. That effort is focused on 10 separate initiatives in three broad areas: securing open source production, improving vulnerability discovery and remediation, and speeding patch cadence.

While Google is a major sponsor of the effort and has provided technology and specifications for a myriad of security-focused efforts — such as Security Scorecards, AllStars, and the Alpha Omega Project — Assured OSS will be eventually be a paid, commercial service, Brewer says.

"Last week was about the community focus," Brewer says. "But you ... \[also\] need a lot of private investment from many different companies to make these things better, easier to use, and you also need — especially for the critical core stuff — you need a lot of industry cooperation."

    

Open source software requires companies to analyze and maintain commonly used components. Source: Google Cloud blog

**Scanning, Fuzzing, and Checking on 100K Cores  
**While most companies maintain their own package management system as a private repository, Google's level of vetting and security testing is significant, when looking at the numbers.

The company has an end-to-end process that includes continuous fuzzing of more than 500 of the most popular packages, using a massive infrastructure based on 100,000 processor cores, Google stated in a blog post announcing the Assured OSS service. The company also provides software bill of materials (SBOM) and supply chain integrity checking through the SLSA framework.

The Assured OSS framework will also natively integrate with software-security analytics firm Snyk.

"We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program," Google Cloud stated in its blog post. "Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources."

**Overlapping Efforts Pose inefficiency Risk  
**Google is not alone in offering a curated collection of vetted open source software. In addition to the aforementioned Linux distros, a variety of companies — such as Anaconda — have created vetted repositories that include managing both patching and integrity issues for companies. In addition, other companies — such as Snyk, Sonotype, and Debricked — offer ways to evaluate open-source projects and libraries based on security metrics.

Google's new service raises the specter, however, that multiple companies will offer overlapping services that provide similar analyses of the top 500 packages, but do not venture into vetting packages that are less popular but still important. While redundancy is often a good attribute — because a company could find a vulnerability that another company misses — it is important for organizations to also provide more coverage across a greater number of packages, Brewer acknowledges .

"There are lots of ways to work together, but I think open source by its nature, because it is already shared, requires we work together better," he says. "So at a minimum, we should make sure that we are fixing different packages, rather than fixing the same packages — it would be globally inefficient to do that."

Assured OSS will be available to preview sometime in the third quarter of 2022, according to Google.

Source

DARKReading