FDIC Requires Banks to Report Incidents Within 36 Hours; Sky Broadband Finally Patches UK Routers; Tardigrade Malware Targets Biomanufacturing

Some will be excited about this 36 hour disclosure timeline, but as an IR practitioner, I'm pretty sure it's not going to be a net positive. First, while it's obvious that hiding a breach is counter to the public's interest, it's not clear what a 36 hour timeline will do to protect customers that a five day deadline won't. Second, every time I've seen accelerated disclosure timelines like this, there's a countering force where organizations try to thread the legal needle of what precisely constitutes an incident. The definition in this case is fairly comprehensive - so much so that it's hard to imagine what doesn't constitute a reporting requirement. Overly broad definitions like this don't serve the public interest. Instead, they provide a convenient excuse for organizations to interpret the rules to avoid "reporting every little thing."

Jake Williams

It’s interesting to see regulators outside of the EU adopt GDPR type regulations, in particular with regards to mandatory reporting. However, I hope the FDIC will learn from some of the issues experienced when GDPR was first introduced by ensuring it has enough resources to deal with the volume of reports it will received and that it gives clear guidance as to what determines a breach to be reportable. Finally, it is also critical that reported breaches are followed up to ensure the victim organisations investigate and remediate the breach properly and they simply don’t treat the reporting requirement as a box ticking exercise.

Brian Honan

There was a lot of squishy language (like “good faith estimate”) in the original wording that was eliminated in response to comments, a good thing. But, the basic definition of a “notification incident” is still pretty broad. For example, outages cause by service provider downtime that would still not violate the service providers SLAs could be considered a “notification incident.” The other issue will be do the Treasury Agencies use all this data to proactively alert banking institutions of potential coming attacks or is it just a data collection effort?

John Pescatore

Work with your regulator to understand the final order as it gets refined and clarified over the next six months. Develop a clear understanding of what the notification criteria mean for your financial institution and be sure you know exactly who and how you are supposed to file the notification with.

Lee Neely

Consumers often have no choice but to wait for ISPs to apply patches to equipment supplied by the ISP. Having ISPs roll out patches *should* make things easier for users, but ISPs do need to perform and not leave users hanging with unpatched equipment.

Johannes Ullrich

This patch took entirely too long to implement, though it was a fairly complex attack not likely to be exploited en-masse. That doesn't change the severity of the vulnerability though. Organizations setting clear timelines with researchers and researchers holding organizations to those timelines will keep everyone safer. I know Google Project Zero takes a lot of heat for its mandatory disclosure timelines, but that's what keeps bugs like this from going unpatched for more than a year.

Jake Williams

After you make sure that your router is updated, provided you didn’t replace it waiting on this critical update. You’re going to want to check your systems for exploitation. Encourage Sky to come out with bug fixes in a more timely fashion.

Lee Neely

This report is definitely interesting, but it should be noted that at the time of publication for this NewsBites there are significant questions about the BioISAC report in the CTI community. I haven't personally reviewed the sample yet, but have reviewed the BioISAC report and am working with people who have directly analyzed the sample. We'll publish more on this in the next NewsBites. If the story hadn't already gained major national media attention, we likely wouldn't have included it here given the questions about the original reporting.

Jake Williams

As our world becomes more and more reliant on the Internet and computers, I hope that manufacturers will recognize the need to implement manual backup.

Brian Honan

Musk reported that steps were taken to prevent recurrence. While on-line and electronic access to vehicles is really cool, make sure you have a plan B. If your Tesla has a key fob support, make sure that you have a working fob as a backup, otherwise map out what you would do if you can no longer access or drive your vehicle. Be sure to test Plan B at least once.

Lee Neely

Handing your car keys to the "cloud" may not be a great idea when it rains “verbose network traffic.”

Johannes Ullrich

I’m not sure any Tesla models can only be unlocked via a mobile app to Tesla server connection but if anyone has bought a vehicle that works that way, hard to be sympathetic. I can pretty much guarantee the multiplication of (cell phone availability times Internet connection to server) times (server availability) times (server connection to car) results in an availability number way lower than most people need for getting into their car…

John Pescatore

Patch this before leaving for the long weekend if possible. This vulnerability is being exploited already (for a few months!). I know, this will not be easy for a device like a load balancer, but the alternatives aren't pretty. The vulnerability fits well into the ransomware actor playbook.

Johannes Ullrich

Make sure that you rolled out the updates to your FatPipe WARP, MPVPN and IPVPN devices; disable UI and SSH access from the WAN interface; deploy the IOCs and verify you’re not seeing any malicious activity. If you find indicators of related activity, reach out to your local FBI office.

Lee Neely

While healthcare organizations are at the top of the list of cyber targets these days, the current environment has made it difficult for any company to be adequately staffed for the expected workload, let alone incident response. If reporting is delayed, be sure to document the contributing factors and be prepared to defend that in court.

Lee Neely

The first mitigation is to make sure your on-premises exchange servers are fully patched. Make sure that your endpoint protection server solution is deployed to your servers (as opposed to the desktop version). Make sure the linked IOCs are incorporated into your SIEM. Look to see where moving to hosted exchange servers is on your roadmap; then move it up the list.

Lee Neely

Privileged accounts, particularly those used to configure multiple systems on behalf of others, need strong authentication which is replay resistant. If you must use a password, use the longest possible password the system support; if possible, regenerate that password on a frequent basis. Consider configuring these accounts with added access control and active monitoring to provide visibility to unusual actions as well as stop unauthorized inbound and outbound activities. If you are an impacted GoDaddy user, GoDaddy changed your Admin, SFTP and DB passwords, you will need to change your admin password twice, once through password recovery and a second time through the admin users’ interface to reset the ability to manage your site through the GoDaddy dashboard. Suggest having your users also reset their passwords. If your SSL certificate is impacted, a free Domain Validation SSL certificate with a one-year duration will be installed, which can be replaced at your leisure. Lastly, GoDaddy says to make sure you’re checking the health and security of your WordPress site, consider a firewall, your active plugins are auto updated and unused ones are deleted. Additionally, make sure that you configure multi-factor access on your GoDaddy subscriber account.

Lee Neely

Some customer data exfiltrated and the IT systems are being verified for integrity prior to restarting services. Despite the Biden Administration publishing guidance to leave critical systems alone, attackers continue to target them. When the details of this attack are published, it’ll be a good use case to compare your current security readiness against.

Lee Neely

This incident was discovered and remediated September 4th 2021, the same day! Unfortunately, the initial intrusion started August 29th. Review which systems and services are exposed to the Internet, making sure critical systems are not in that list, that your backups are working and verified; make sure that you’re still conducting phishing exercises.

Lee Neely