India says China Not Responsible for Power Sector Cyber Attacks; Oxford COVID Lab Targeted; NCSC Free Cybersecurity Tool for Small Businesses; United Health Services Says Ransomware Cost $67M

Lab equipment needs proper segmentation to protect it from hacking and to ensure the integrity of the experiments and the corresponding data. With the current crisis, many services were set up quickly to accommodate adjustments in work locations. Those configurations may also include providing remote access to systems like this. Don’t wait for someone else to find gaps in your hurried implementations; review the configuration, making sure that security best practices are followed, particularly strong authentication. If remote access is no longer needed, remove it.

Lee Neely

Small business have difficulty knowing where to start. This tool helps; it provides specific recommendations to get going. One thing to pay attention to is an asset lifecycle. I have often visited businesses with equipment that is ten or more years old, where the bar for compromise has become quite low. Equipment sold to small businesses is not always at the same level of sophistication as enterprise offerings and necessitates a shorter lifecycle as well as regular verification that they are updated and still secure.

Lee Neely

Small businesses are targets, not because the value of a successful attack is high, but because the cost of attack is low.

William Hugh Murray

This will help companies navigate their way through the maze they see around cybersecurity. The UK’s NCSC has been proactive in providing businesses with free and independent guidance on how to keep their systems secure – a model I hope many other governments will adopt.

Brian Honan

While cyber may feel like insurance with little to no ROI in the boardroom, recovery costs and shareholder impact change the equation. Prevention is cheaper than response and recovery. Prioritize fixes with large returns such as differential backups and ubiquitous use of multi-factor authentication. Review security best practices for both remote access and newly provisioned cloud services to make sure nothing is missed. Lastly, make sure that your incident response plan is up to date dated and tested, rather than a letter to your successor.

Lee Neely

Monitoring, detection, and incident response capabilities must be in place before reporting is possible. Reducing dwell time by discovery of malicious or unusual behavior is key and requires sufficient visibility into the enterprise services, whether legacy or cloud based, before you become a headline. An intern choosing and publishing a bad password is not a failing of the intern; it is a failing of the company processes to properly train and support them.

Lee Neely

While useful, and perhaps even necessary, "breach disclosure" operates late. Prevention operates early but is more difficult to legislate. It might well start with legislation that requires transparency and accountability for all distributions.

William Hugh Murray

Nowhere in the CERT Alert or in the Rockwell Automation site’s mitigation guidance did I see “deploy patched version of the badly designed, vulnerable software that contains a hardcoded encryption key.” There does not seem to be a patch available or any reference to a planned patch. The mitigation guidance is pretty much “it will hurt if you do that, so don’t do that.” The reality is that deploying patches to PLCs is hard, disruptive, and expensive – really good reasons that vendors that sell to that market should be taking security seriously from the start.

John Pescatore

PLCs need isolation, as they don’t respond well to unwelcome advances. There is no patch here, only mitigations. Segmentation, which means permitting connections only from authorized devices, is key. Do not enable direct Internet access. Additionally review Rockwell’s System Security Design Guidelines for defense-in-depth configuration of automation systems. https://literature.rockwellautomation.com/idc/groups/literature/documents/rm/secure-rm001_-en-p.pdf

Lee Neely

Implementing Zero Trust requires supporting underlying practices to monitor the available services for maleficence. The endpoint becomes the security boundary, necessitating strong configuration management, monitoring and updating along with good business practices and a mature security model. You also need layer 7 visibility and monitoring, and an understanding of how services are authorized to communicate. Operational Technology, SCADA and ICS systems may not be good candidates for Zero Trust.

Lee Neely

Zero Trust is an 11 year old buzzword that basically means “Implement all of the Critical Security Controls” and then go further. You cannot start at the Zero Trust Level, you have to have a secure foundation.

John Pescatore

The steps in "zero trust" should be taken in the order of efficiency. One starts with strong authentication, and then moves on to end-to-end application layer encryption. These two things are highly efficient. The next two steps are first horizontal process to process authentication and then vertical.

William Hugh Murray

If you’ve enabled a PIN to protect your T-Mobile account from SIM-swapping attacks, change it now. Also change your account password as well as your security questions and answers. Set a PIN on your account if you don’t have one. T-Mobile is offering two free years of credit-monitoring and identity theft protection to affected users. If you don’t already have it, now is a good time to get credit monitoring started.

Lee Neely

T-Mobile customers who rely upon their mobiles for authentication should be sensitive to evidence of compromise such as not receiving calls or one time passwords that they expect. T-Mobile must increase customer authentication for requests for remedies for this breach; attacks will look like requests for remediation. This authentication may have to include having the customer present credentials like drivers licenses or passports. This breach demonstrates a limitation on the use of SMS for the distribution of one-time passwords.

William Hugh Murray

A timely reminder that the insider threat is alive and well and adversaries will look to coerce or bribe insiders as part of their attacks.

Brian Honan