US Dept. of Commerce Rule Regulates Hacking Tool Export; Microsoft's Cybersecurity Tools for Nonprofits; DoJ Wants Private Sector to Coordinate with Law Enforcement on Cybersecurity; CISA Backs 24 Hour Cyber Incident Disclosure Time Frame for Critical Infrastructure

This follows the changes made to the Wassenaar Arrangement (WA) in 2013 when they added cybersecurity items to the WA list, which resulted in comments and refinement of that language in the WA 2017 amendment. This rule attempts to implement that language. There is a 45-day comment period, which started October 20, 2021. A concern remains that tools can be used for malicious or sanctioned activities; and once licensed for an approved use, a malicious insider can use them for malfeasance. Further, researchers and our cyber security teams need the tools the advisories have to understand attacks, verify security and prepare response measures.

Lee Neely

As CTO of a company that sells a platform that will most likely fall in scope, I welcome this regulation. Current requirements are limited to export control checks. I do not want our attack platform (or any other platform for that matter) in the wrong hands. Current due-diligence background checks are based on ethics that other companies may not have.

Jorge Orchilles

Many otherwise useful tools “can be used for malicious cyber activities.”

William Hugh Murray

We have seen several times in the past where NGOs and similar organizations were used as “proving grounds” for new techniques connected to state actors. NGOs have an even harder time defending against these attacks due to their lack of resources, but are also often more willing to share providing the defensive community with valuable insight. Google has had similar programs as well protecting at risk organizations.

Johannes Ullrich

This is a further expansion of the AccountGuard program, which was launched in 2018 for political customers, including campaigns, which then expanded into HeathCare, Human Rights Organizations and Journalists. Read the guidelines for eligibility (https://www.microsoft.com/en-us/nonprofits/eligibility: Nonprofit eligibility) and if eligible, leverage this service, including the free assessments, to assure you’re maintaining a solid security posture.

Lee Neely

I’m very excited about this initiative and applaud Microsoft for it. In many ways this is similar to Google’s efforts to provide extra notifications and security options for highly targeted individuals. My one concern is that when you visit Microsoft's landing page for this new program, it’s overwhelming with a huge number of resources. While to most security professionals this looks great, when you look at it from the lens of a NGO, it's complicated and confusing. The problem for most NGOs is they are overwhelmed and horribly understaffed, they don’t know where to start with security. Hoping MS can make security simple for NGOs.

Lance Spitzner

The time to properly investigate and act may exceed your risk tolerance. Even so, develop a relationship with your local law enforcement and FBI offices and discuss the mechanisms and merits of providing the information and evidence they need to take action to help others before they are in the same situation.

Lee Neely

A key issue many private firms to cooperate with law enforcement is the lack of feedback or visibility of how their cases are progressing. While this lack of sharing back by law enforcement is understandable due to operational and investigative issues, it can be frustrating for private firms to see little or no return for the time and effort they often expend into assisting law enforcement. Law enforcement need to better understand this and examine ways that firms can see the benefits provided by their cooperation, even if it is just at a high level.

Brian Honan

Business is anxious to remediate attacks while law enforcement wants to preserve evidence. These motives are often at odds.

William Hugh Murray

Some early interpretation of GDPR rules led to a flood of reports as companies over-reported to avoid fines. Reporting an incident within 24 hours after discovery is possible, but do not expect to have all the details and be ready for some errors that happen during the initial phases of the analysis.

Johannes Ullrich

Any notification window needs to start after the incident is verified. Are you prepared to notify an external entity of an incident whether you have 24 or 72 hours to do so? Make sure you understand who needs to be involved in reporting, what constraints and concerns are present. This reporting would likely be an extension of the CISA’s Joint Cyber Defense Collaborative which you should be leveraging to extend and augment your planning, communications, joint cyber defense plans, etc.

Lee Neely

Until we can measure time-to-detection in hours to days, rather than weeks to months, this kind of legislation will have little impact.

William Hugh Murray

Multi-sector and country law enforcement collaboration is key to taking down these activities. As tempting as it is to take action when personally attacked, don’t. Leverage your relationship with law enforcement to let them take the action.

Lee Neely

This is good news and kudos to all those involved. With any luck any intelligence gathered as part of this operation will eventually lead to the arrest of those behind the REvil attacks. A note of caution on these type of operations is that hopefully they are being conducted with the appropriate court oversight and transparency.

Brian Honan

I welcome action being taken to disrupt any ransomware group. This will impact other groups and is a step in the right direction.

Jorge Orchilles

ATT&CK is the industry standard and common language that allows our security teams to collaborate and work together. Apart from data sources, (sub)techniques, groups, and software have been updated based on contributions from the community. Other updates to look at are MacOS, Linux, ICS, mobile, and cloud. If you are not leveraging ATT&CK yet, now is a great time to start.

Jorge Orchilles

Chrome just released a security update (See the CISA Alert: https://us-cert.cisa.gov/ncas/current-activity/2021/10/20/google-releases-security-updates-chrome), which means you need to deploy Chrome 95 now. FTP support was removed from Firefox back in July. This is no longer a feature you can turn back on. While you can deploy other FTP clients, a better solution is to move to secure file transfer/sharing options.

Lee Neely

Consider using ModSecurity with your Apache and nginx web services to augment SQL injection attack defenses. Applications must sanitize ALL inputs.

Lee Neely

Exploitation of this vulnerability is difficult. It only affects expired trial versions of the software. An attacker would have to intercept and manipulate the HTML contact retrieved by the applications license reminder. This reminder is only displayed if the trial license expired, and only every third time the software is used.

Johannes Ullrich

This is a two-year old version of WinRAR running in free-trial mode. CVE-2021-35052 is fixed in 6.02. Make sure that installed versions are 6.0.2. The free-trial is only good for 40 days, either uninstall older copies or license them. The license is perpetual and cross-platform.

Lee Neely

One hopes that enterprise users of this product will see this warning. Many private users will not.

William Hugh Murray

As a parent and grandparent who loves Halloween, my first reaction is this is hitting below the belt. Ferrara Candy makes 85% of the candy corn in the US during the Halloween season. Take this as a reminder that nobody is “safe” from attack, review your readiness, check to be sure that changes made recently were done securely. If appropriate, verify that your OT is separated from IT systems, allowing communication only to authorized systems via controlled interfaces.

Lee Neely

I can do without candy corn. But please ransomware actors: Leave the full size chocolate bars alone. All joking aside: No industry is safe when it comes to ransomware.

Johannes Ullrich