SANS NewsBites

Cyber Expertise at the Board Level; SEC’s Proposed Cybersecurity Rules for the Financial Sector; Pixel Markup Tool Vulnerability Allows Unmasking of Redacted and Cropped Images

March 21, 2023  |  Volume XXV - Issue #23

Top of the News


2023-03-20

Just 14 Percent of New Fortune 500 Board Positions Filled with Cybersecurity Expertise in 2022

According to a recently-published report from Heidrick and Struggles, of the 414 new board allocations at Fortune 500 companies in 2022, just 14 percent were filled by people with cybersecurity backgrounds, down from 17 percent in 2021. The US Securities and Exchange Commission is in the process of establishing new rules for publicly traded companies that will require them to detail the level of cyber expertise on their boards.

Editor's Note

The reality is that most cybersecurity incidents are enabled by IT operations failures (slow patching and misconfigurations) and tactical choices to continue to use reusable passwords years after everyone knew they were the major success factor for breaches and ransomware. While the SEC requiring information on board expertise in cyber security is a good thing, remember: boards approve all mergers and acquisitions and 70% of M&A deals fail and boards are supposed to be focused on strategic issues (like M&A) vs. tactical issues like IT and security operations hygiene.

John Pescatore
John Pescatore

The value of cyber expertise at the board level depends on the business. The board is focused on strategy, hiring the CEO, selecting a chairman, and sustaining/growing the business. Having board members with a cyber background doesn't guarantee that they have the current expertise to weigh in on cyber initiatives. The operational team, including the CISO, needs to remain prepared to brief up, including background, in a context that aligns with the board focus. Board members need to make sure they are asking for the cyber briefing on new initiatives, including mergers, then empower their employee, the CEO, to act appropriately.

Lee Neely
Lee Neely

Whilst it is important to talk about cyber risks at the board, the root cause usually comes down to a lack of focus on people, process, and technology (i.e., configuration, patch management, active monitoring) by IT operations. Board responsibility is rightly focused on business operations (costs, revenue targets, business growth, brand awareness). These are different professional skill sets. Cybersecurity expertise can be obtained as independent officers or experts that augment board deliberations.

Curtis Dukes
Curtis Dukes

I’m very surprised to have seen this high a number of executive boards filled with Cybersecurity Expertise. This is encouraging as more traction stories like this will further board requests for members to have cybersecurity expertise. This is a rather positive news story, even if it is trying to be shocking.

Moses Frost
Moses Frost

The primary role of the Board in cybersecurity is to set the organization's tolerance for risk. This is an application of the knowledge, skills, abilities, and experience that one expects of directors. The role of the security staff is to help the Board express the intended risk tolerance in such a way that all levels and functions of management understand what that means that they are expected and authorized to do. While this articulation is not easy, it is what we are expected to have the knowledge, skills, abilities, and experience to do.

William Hugh Murray
William Hugh Murray

2023-03-17

SEC Proposes Cyber Rules for Financial Sector

The US Securities and Exchange Commission (SEC) has proposed new cyber rules for financial sector entities. The proposed rules would require covered entities to report cyber incidents to the SEC immediately and follow up with a detailed report within 48 hours. They would also be required to notify affected individuals when their personal data have been compromised within 30 days of detecting an incident. Finally, the new rules would require covered entities to adopt policies and procedures designed to help protect systems, detect and mitigate vulnerabilities, and respond to cyber incidents. The SEC is accepting comments on the proposed within 60 days of its publication in the Federal Register.

2023-03-20

Pixel Image Vulnerability Allows Image Edits to be Removed

A vulnerability in Google Pixel’s Markup tool can be used to retrieve original images from versions that have been cropped or had portions redacted. Dubbed “aCropalypse,” the flaw has existed since 2018. Google has fixed the issue in Markup going forward, but older images are still at risk of being unmasked.

The Rest of the Week's News


2023-03-20

OPM Publishes Guidance for Implementing Federal Rotational Cyber Workforce Program

The US Office of Personnel Management (OPM) has published guidance for implementing a program that will allow federal employees to increase their cybersecurity expertise. The Federal Rotational Cyber Workforce Program “allows for 6-month to 1-year interagency details of cyber employees to cyber rotations where they can improve and develop knowledge and skills to not only support their own professional growth but also bring new skills back to their home agency.” The program was developed to comply with a law passed in June 2022, and aligns with an objective in The White House National Cybersecurity Strategy.

Editor's Note

While I applaud the administration’s effort to provide professional growth in developing critical cybersecurity skills, there’s a practical matter that needs to be addressed: who does the work in the losing organization? Each department and agency have a mission to fulfill; a balance has to be struck between losing and gaining organizations. It’s not clear that the new policy accounts for that.

Curtis Dukes
Curtis Dukes

2023-03-20

Microsoft Azure Network Security Team: KillNet and Other Hacking Groups are Targeting the Healthcare Sector

Microsoft’s Azure Network Security Team has published a blog post that “provide[s] an overview of the DDoS attack landscape against healthcare applications hosted in Azure over three months.” The post also describes some KillNet campaigns and how the team responded to and mitigated them.

2023-03-17

FDIC OIG Report Finds Agency Still Needs to Improve Windows Active Directory Management

The US Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has conducted an “audit … to assess the effectiveness of controls for securing and managing the Windows Active Directory (AD) to protect the FDIC’s network, systems, and data.” FDIC relies on AD to “manage user identification, authentication, and authorization.“ The OIG audit assessed 12 areas and determined that seven still need work: password management, account configuration, access management, privileged account management, windows operating system maintenance, ad policies and procedures, and audit logging and monitoring.

2023-03-17

Experts are Concerned About Outlook Vulnerability Patched Last Week

A zero-day vulnerability in Microsoft Outlook that was patched last week as part of Microsoft’s Patch Tuesday is raising concerns among experts. The vulnerability, which can be used to steal NTLM authentication hashes, is easy to exploit and requires no user interaction. Several proof-of-concept exploits have been released.

2023-03-20

Bitcoin ATM Manufacturer Discloses Theft

Millions of dollars’ worth of virtual currency was stolen from Bitcoin ATM maker General Bytes. The thieves uploaded a “java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.” From there, they could access the database, read and decrypt API keys for hot wallets and exchanges, send funds, download usernames and password hashes, and turn off MFA.

2023-03-20

Alleged BreachForums Admin Arrested

US federal law enforcement authorities have arrested an individual for allegedly running the BreachForums cybercrime forum. Conor Brian Fitzpatrick has been charged with conspiracy to commit access device fraud. Fitzpatrick has admitted to using the online alias “pompompurin,” which is connected to the breach of an FBI portal that resulted in thousands of phony emails being sent.

2023-03-17

Police in Ukraine Arrest Alleged Remote Access Trojan Developer

Ukrainian police have arrested an individual who is allegedly the developer of a remote access trojan (RAT) that has infected more than 10,000 computers. The malware disguised itself as game applications. The suspect had real-time access to 600 computers at the time of the arrest.

Internet Storm Center Tech Corner

From Phishing Kit to Telegram ... or Not

https://isc.sans.edu/diary/From+Phishing+Kit+To+Telegram+or+Not/29650

Old Backdoor, New Obfuscation

https://isc.sans.edu/diary/Old+Backdoor+New+Obfuscation/29646

Emotet uses OneNote

https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/

WSUS Update

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment#uup-considerations

DOTRUNPEX .Net Injector

https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/

Samsung Exynos Chip Vulnerability

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

Android Image Cropping Problem

https://twitter.com/ItsSimonTime/status/1636857478263750656/photo/1

Bitwarden Pins

https://ambiso.github.io/bitwarden-pin/