Toyota Allowed a Decade of Cloud Configuration Vulnerabilities to Go Unnoticed; Attackers Breach Records of 5.8 Million PharMerica Customers; Assess Use of Discord on Employee PCs

A ten-year Time to Detect really skews your metrics in the wrong detection. The data exposed is not very useful for cyberattacks but does point out two weak points that are often not addressed: (1) supply chain security and (2) misconfiguration of cloud services.

Very few details on this one that we have seen discussed. This could range from an S3 Bucket (or an alternative cloud version of S3) to a Virtual Machine (or Instance) exposed to the Internet with no firewall rules. It’s hard to tell. What is relevant is the statement that they lacked the visibility and detection to notice the gap. They also may not have been penetration testing their cloud environment, so that these items may have never been noticed. Very few details, but they are still very relevant as we see more and more of these types of disclosures by the day. The good news is that tools can help detect and find these in your cloud environments. Hopefully, you have this level of telemetry. If you don’t, look into it. If you do, who is looking at those screens?

This impacted both Toyota and Lexus customers. The lack of a password on the database hints of taking a shortcut to make things work. At some point after the data were moved to the cloud in 2012, the database was marked public rather than private. While painful, it's important to review access control settings on a periodic basis to avoid surprises, as well as going back to revisit workarounds to ensure they didn't add undue risk.

Misconfiguration is the number one vulnerability of cloud tenants. The Center for Internet Security produces several hardened images that are available in the cloud service provider’s marketplace. These secure images are built from many CIS benchmarks. This data leak was entirely preventable.

Not a lot of information has been made public yet on how PharMerica was compromised but odds are high the initial vector involved phishing used to obtain reusable passwords. The availability of public generative AI engines like ChatGPT have made it much easier for very targeted phishing content (email, voice, even video) to be created by low skill level attackers. Use the publicity over AI and this very large and very expensive PharMerica breach to accelerate movement away from reusable passwords.

Two observations from this data breach notification: 1) Given PharMerica’s size – a Fortune 1000 company – sufficient cybersecurity resources should have been available to protect its infrastructure; and, 2) They waited till the last minute – 60-day HIPAA requirement – to notify HHS of the cyber breach and subsequent data loss. Each day of delay in notification gives the evildoer time to sell the personally identifiable information for malicious purposes. Perhaps it’s time for the notification rule to be shortened.

The data appears to have been breached between March 12th and 13th, and was discovered March 14th. The breach was reported to the Maine Attorney General's office May 12th. Having only two days of dwell time is far better than reports showing the average is currently around 28 days. PharMerica is stating they have no reason to believe any of the pilfered information has been used for committing fraud or identity theft, even so, with services in all 50 states, odds increase that you could be a customer. If you are a customer, make sure that you have credit monitoring in place.

The use of Discord to leak sensitive US national intelligence information has put a spotlight on this widely used chat platform that started out being used by gamers wanting low latency voice comms. Since the hybrid workplace and allowed use of personally owned computers and phones are now the norm, odds are pretty high that one of Discord’s 150M users is one of your employees. Make sure your awareness programs and phishing campaigns include illustrating risk of sensitive information being exposed over Discord, Slack, Mumble etc.

Their ticketing system was compromised, as opposed to the Discord IM/VoIP services. With the widespread use of Discord, you likely have users in your organization. Users are likely using it for needed collaboration; you need to be aware of what data is stored there. If you haven't formally approved/sanctioned Discord, now would be a good time to remind users of any limitations on data/use of a service not qualified for business purposes.

Discord has grown massively as a community version of Slack. Many of the security community are Discord users, and now we have even seen classified documents sent around on Discord. This system for gamers was never designed with this in mind. There may be even more unknowns here that we may find. As with any system of this nature, I would advise caution.

Something to be said for using only software and services for which one pays and whose supplier, therefore, owes some minimum responsibility.

Given the GAO story below, this is not unexpected, albeit disappointing. The affected system, TRANServe, reimburses staff across the federal government for certain transportation costs, and the breached data includes email, work phone and address, home address as well as SmartTrip and/or TRANServe card numbers. DoT has frozen access to the TRANServe system, and is working to remediate deficiencies. Unless DoT addresses the issues in their cybersecurity programs there is no guarantee there won't be additional incidents discovered. If you're a TRANServe user, make sure that you've got credit monitoring.

It would be helpful for DoT to share details of the breach, such as security tools employed, as well as patch and configuration status. These security details can help organizations create more effective security best practice guidance.

Incentivizing cybersecurity by tying it to performance objectives, or even bonuses, sends a clear message that it is not optional. No matter what, follow-through on both resolving deficiencies and incorporating security across the board has to be an active task. Roles, policies and guidance support an actively managed cybersecurity program. While DoT did review its cybersecurity programs, no action was taken to address deficiencies.

The GAO report is timely given the recent cyber breach of DoT systems. Unfortunately, it only appears to focus on governance and oversight responsibilities vs. the importance of implementation and monitoring of cybersecurity controls within the Department. It remains to be seen what effect the cyber breach will have on senior manager performance ratings.

This report coupled with the leak reported above and the NOTAM fail suggest the need for a clear and disseminated expression of the organization's cyber risk tolerance such that everyone, executives, managers, professionals, and others, understand the minimum threshold of responsibility and accountability associated with their role. The ability to draft such an expression and get it adopted are among the job qualifications of an information security executive.

Ransomware is the great reckoning in Healthcare IT. It’s the one item causing such a disruption that it will require HealthIT to take a new look into how they are safeguarding their environment. Hospitals sometimes run on network downtime for a week or two, which puts an extra burden on the staff and puts patients at a higher risk. One example is drug interaction systems, which ensure that medication does not have interactions when given. If that system is down, those medications are checked manually—just one example of how serious this could be.

This is the latest in multiple hospitals reporting service interruptions due to ransomware-related incidents. It's being postulated that ransomware and other cyber-attacks against hospitals should be treated as disasters due to their impacts throughout the communities they serve. One hopes they can recover faster than the previously reported Murfeesboro Medical Clinic and SurgiCenter, Aspen Dental, and Cornwall Community Hospital in April, which while making substantial progress are still working to restore services.

The healthcare and K-12 sectors continue to be impacted by ransomware attacks. Every healthcare facility should familiarize themselves with the Blueprint for Ransomware Defense; periodically exercise their incident response as well as disaster recovery plans.

The lesson for the rest of us is that at least one hospital has still been able to care for patients in the face of a ransomware breach.

The Inquirer says this is the largest disruption to their business since the blizzard of January 1996. There’s an old saying “Everyone complains about the weather, but nobody does anything about it…” Luckily, in cybersecurity there are many things that could have been done to prevent the outage of the content management system. Good reminder to make sure to make sure your CMS is at least at essential security hygiene levels and on the top of list for requiring 2FA for access.

This is the largest impact on their printing operations in 27 years. The newspaper is looking into co-working arrangements (a leased office space) to support the coverage of today's election. Do you have co-working spaces in your BC/DR planning? These could be a more effective way to maintain team dynamics than a "everyone work from home" plan.

Care should always be given when connecting IT systems with OT systems. By creating the connection between IT and OT systems, a pathway was created from which an adversary can attack. In this case the weakness in security of the IT infrastructure had a direct impact on physical plant operations. The Philadelphia Inquirer should revisit the security controls it has in place to protect both IT and OT systems.

The Polkit weakness can be used to create new administrators or install packages. This bug affects Fedora and RedHat 8.x, including their virtualization and OpenShift products. There are vendor fixes for five of the seven KEV's. The two Linux kernel fixes are for the 2.6.32.x and 3.14.x Linux kernels which were EOL back in 2016: you need to lifecycle or isolate anything with those kernel versions.

The KEV should be used to identify and prioritize necessary patches. It constitutes what we call "actionable information," also called "intelligence." It is both free and authoritative.

If nothing else, ensure these are not directly accessible from the Internet and the systems are properly segmented from other systems, only allowing authorized devices and users to access them.

Given the large number of vulnerabilities identified over the past year in Rockwell Automation products, a relook at their SecDevOps process is warranted by the company. In today’s software first environment, security has to be a priority in software development.

The attack used SMS messages with urgent requests to login to their financial institution, leading to credential capture, funds transfers, etc. If you, or your management team have never seen social engineering in action, make sure you stop by the social engineering village at your local hacker con. That experience and using this event as a case study in social engineering should be incorporated into your user awareness training, we need to help our users so these methods stop working.

The availability of cheap AI is likely to make "phishing" more narrowly targeted, widely used, and even more efficient. If one has not already adopted MFA resistant to replay, time is not on one's side. Standards, models, services, and even code, for doing this are available.