Utah Local Entities Flunk Security Audit; Expect More Meta-scale EU Fines for Data Privacy Violations; Public Package Repositories Are Being DoS-ed with Malware

This was a pretty broad audit, sent to over 600 county, city, town, school districts, colleges, universities, etc. However, only 37% even bothered to respond which seems to say there aren’t many cybersecurity carrots or sticks at the state level that would drive local entities to take cybersecurity seriously – not adopting the CIS framework is a point of evidence. Of the respondents, the numbers for the larger entities (counties and cities) aren’t that far from typical at that level. The smaller entities are likely the same but an across-the-board lack of emphasis on user awareness and education (combined with no minimum standards such as Implementation Group 1 of the Critical Security Controls) means high risk of phishing attacks succeeding.

In 2021, Utah became the second state in the nation to create a legal safe harbor for private sector companies that implement a cybersecurity framework (i.e., NIST CSF, CIS Critical Security Controls). The legislative body followed that up by auditing the cybersecurity practices of state/local government agencies. The CIS critical security controls are referenced because that provide a prioritized set of actions [safeguards] for any entity, public or private, to follow to establish an effective cybersecurity program.

Having a framework which is then mapped to a control standard is key to implementing a consistent risk-based approach to securing systems. NIST and CIS have free frameworks, with a lot of supporting documentation on implementation, that can give you a leg up here.

This story is making headlines due to the €1.2 Billion fine which is the highest GDPR fine issued to date. However, the other penalties, such as the transfer of EU personal data back from the US to the EU, the deletion of EU personal data within the US, and the stop to the flow of EU personal data to the US, will have a much bigger impact on Meta as it will have to make significant changes to how it runs its business. The Irish Data Protection Commission has given Meta 5 months to comply. Meta will no doubt appeal the rulings and many companies that currently transfer EU personal data to the US, or to US companies with operations in the EU, will watch this case very closely as they too could face similar penalties. At the heart of the issue is the lack of human rights protection for non-US citizens to US mass surveillance laws and until fundamental changes are made to such laws this will be an ongoing issue. Currently the US and EU are negotiating a new framework to enable the transfer of EU personal data to replace the EU-US Privacy Shield but there is no guarantee this will address the core issue.

Meta, a US-based company, being sanctioned because of US government access to user data is not very different from the US sanctioning Huawei, a China-based company, for suspected government access. Just because technology leaps across borders does not mean, and never has meant all countries have to allow it to do so. Companies should be building business plans and IT architectures that build privacy and data security in to support opt-in exposure models and higher levels of privacy than required in the US.

In a previous ruling by the Ireland court, Meta was asked to suspend the data transfers. Meta disagreed. There is deal pending between the US & EU to allow for these types of data transfers; until that is squared away, use caution if you're transferring EU user data to the US.

To date, €1.2B is the largest fine ever assessed for GDPR violations. It serves as a wake-up call for companies that retain the personal data of European citizens. The explosive growth of social media platforms led to certain enterprise architecture decisions that make it difficult for companies like Meta to comply with GDPR. Some amount of re-architecting will be necessary in order to meet the six-month deadline imposed by the EU Data Protection Authority.

Deficiencies were reported in agency Use of FedRAMP, Metrics and Continuous Monitoring. All of the audited agency systems were using FedRAMP authorized cloud service providers, the deficiencies noted were mostly paperwork issues. The lack of metrics is a federal government-wide issue where the FISMA CIO cybersecurity metrics tend to change each year and focus on low level controls vs. proven operations performance metrics such as Time to Detect/Time to Respond/Time to restore. The lack of continuous monitoring of cloud services is likely from inability to extend on premise monitoring out to disparate cloud services – all FedRAMP approved CSPs are required to provide the data.

FedRAMP gives you a big head-start implementing 800-53 controls, but you still need to set up incident response and notification agreements, as well as make determinations on what, if any, log information can be forwarded to your SIEM. Many SaaS providers don't provide logs this way, but they do have response capabilities, you need to run these to ground before getting your ATO.

The connectivity issue was quickly diagnosed and corrected by the ASUS team. What’s interesting is that the component is updated regardless of whether the user has automatic security updates enabled. It raises the question: should security updates be automatically applied by the vendor or should the end organization be in control of when security updates are made?

This ties back to a flawed ASD update file. If your router is still misbehaving, try rebooting it. Worst case you're going to have to do a hard reset. What is not yet known is why this impacted routers which had been configured not to rely on these updates.

The CVSS severity rating [9.8 out of 10] and existing proof-of-concept exploit code elevates the priority of patching for these vulnerabilities. The vulnerabilities do serve one possible benefit for Cisco: exposing counterfeit switches that were procured unknowingly by organizations. Patching is the only way to protect the switches, which requires a valid Cisco license.

While it may be a "computer" in one sense, a properly implemented switch is a single-application purpose-built appliance. One would not expect that its procedures could be corrupted by its traffic. One would not expect a switch to be able to execute arbitrary code. Such a capability is an implementation induced vulnerability. One suspects that such a capability exists for the convenience of the developers, not value to the users.