As reported by CNN, a high school principal in Pikesville, Maryland, found his life and career turned upside down when in January a recording suggesting the principal made racially insensitive and antisemitic remarks went viral. The school faced a flood of calls from concerned persons in the district, security was tightened, and the principal
DHS
Cyber Safety Review Board Issues Compelling Report about Lapsus$, MFA Vulnerabilities, and Helpful Recommendations
The Cyber Safety Review Board (Board) issued a report entitled, Review of the Attacks Associates with Lapsus$ and Related Threat Groups (Report), released by the Department of Homeland Security on August 10, 2023. The Report begins with a message from the Board’s Chair and Vice Chair discussing WarGames, a movie with interesting parallels to…
Cyber Incident, Ransom Payment Reporting to DHS Mandatory for Critical Infrastructure Entities
Included within the Consolidated Appropriations Act, 2022, signed by President Joe Biden on March 15, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Act) creates new data breach reporting requirements. This new mandate furthers the federal government’s efforts to improve the nation’s cybersecurity, spurred at least in part by the Colonial Pipeline cyberattack that snarled the flow of gas on the east coast for days and the SolarWinds attack. It’s likely the threat of increasing cyberattacks from Russia in connection with its war effort in Ukraine also was front of mind for Congress and the President when enacting this law.
In short, the Act requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):
- a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
- any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported in i. above)
Supplemental reporting also is required if substantial new or different information becomes available and until the covered entity notifies DHS that the incident has concluded and has been fully mitigated and resolved. Additionally, covered entities must preserve information relevant to covered cyber incidents and ransom payments according to rules to be issued by the Director of the Cybersecurity and Infrastructure Security Agency (Director).
The effective date of these requirements, along with the time, manner, and form of the reports, among other items, will be set forth in rules issued by the Director. The Director has 24 months to issue a notice of proposed rulemaking, and 18 months after that to issue a final rule.
Some definitions are helpful.
- Covered entities. The Act covers entities in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that meet the definition to be established by the Director. Examples of these sectors include critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation. In further defining covered entities, the Director will consider factors such as the consequences to national and economic security that could result from compromising an entity, whether the entity is a target of malicious cyber actors, and whether access to such an entity could enable disruption of critical infrastructure.
- Covered cyber incidents. Reporting under the Act will be required for “covered cyber incidents.” Borrowing in part from Section 2209(a)(4) of Title XXII of the Homeland Security Act of 2002, a cyber incident under the Act generally means an occurrence that jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or an information system. To be covered under the Act, the cyber incident must be a “substantial cyber incident” experienced by a covered entity as further defined by the Director.
- Information systems. An information system means a “discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” which includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
- Ransom payment. A ransom payment is the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.
A report of a covered cyber incident will need to include:
Continue Reading Cyber Incident, Ransom Payment Reporting to DHS Mandatory for Critical Infrastructure Entities
DHS IG Report Raises Questions About Department’s and its Subcontractors’ Ability to Protect Biometric Information Following Breach
Earlier this month, our Immigration Group colleagues reported the Department of Homeland Security (DHS) would release a new regulation to expand the collection of biometric data in the enforcement and administration of immigration laws. However, as reported by Roll Call, a DHS Inspector General report raised significant concerns about whether Department is able to…
Legislators and Regulators Weigh in On Privacy and Data Security Protections for Healthcare Providers Amid COVID-19 Pandemic
As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.
On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s…
UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.
Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.
Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.
Before an Attack
- Build the right team
- Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
- Secure the systems
- Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
- Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
- Make your employees aware of the risks and steps they must take in case of an attack
- This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
- Employees should avoid revealing personal or financial information about themselves, other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
- Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
- Maintain backups
- Backup data early and often.
- Keep backup files disconnected from the network and in separate locations.
- Develop and practice an “Incident Response Plan”
- Identify the internal team (e.g., leadership, IT, general counsel, and HR).
- Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
- Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
- Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
- Plan to identify, assess, and comply with legal and contractual obligations.
- Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.
After an Attack
Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
US Senate Bill Passes, Seeking to Establish “Cyber Hunt and Incident Response Teams”
More than 500 United States schools (connected with 54 different education entities such as school districts and colleges) have been infected with ransomware during the first nine months of 2019, according to a recent report by cybersecurity firm Armor, making the education sector one of the leading ransomware targets, following only municipalities as the top…
Global Cyberattack Exploits Known Vulnerabilities
As you likely know by now, international cybercriminals launched a worldwide ransomware attack last Friday with the European law enforcement agency Europol reporting over 100,000 affected organizations in 150 countries, including the U.S. Reports indicate that health care providers, universities, and other large companies were all targeted. The Department of Health and Human Services also …
President Trump’s Executive Order on Cybersecurity…
On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order…
Cyber Security Awareness Needs To Last Beyond October
The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program…