FTC Applies Breach Notification to Health App Vendors; Patch Your Fortinet Appliances; Establish and Test Backups for Web-based Dashboards to Survive DDoS Outages

This also refines the definition of a Personal Health Record (PHR) and reinforces the requirement to report breaches of health records not covered by HIPAA. Having a consolidated reference will help those impacted. Our demand to monitor and track our fitness has resulted in a plethora of applications and devices to meet that demand, often delivered with an eye on time-to-market, not data security and reporting. This rule change puts those meeting the demand on notice they have skin in the game. If you're collecting personal health information, or creating applications which do, you may want to weigh in on reporting requirements.

Requiring apps that handle/store personal health records to meet breach disclosure requirements was floated for public comment in 2020 with little to no pushback – it makes sense. Especially as we now see Apple and other health app/device vendors starting to meet increased consumer demands for privacy and making claims for higher levels of personal health data protection.

Good reminder to have workarounds for when web dashboards might be down for any reason when the underlying service is still running, as was the case here. For Azure, CLI and REST API connections were still usable and should be documented and periodically tested (and protected) as fallback approaches.

This may be tied to claims of DDoS attacks by Anonymous Sudan, who also claims to have been impacting other Microsoft services including Outlook.com and OneDrive. Microsoft has taken steps to prevent recurrence, and their notice also includes steps you should take on your Azure instance to minimize future potential impacts, to include leveraging the application architecture guidance and ensuring notifications about service issues are both enabled and going to the right places.

There are two possible reasons for an unanticipated spike in network traffic: 1) lack of customer awareness (usage) by Microsoft; or, 2) a DDoS attack. Let’s call it what it was, a DDoS attack that was moderately successful. I fully expect that Microsoft is addressing possible network throughput chokepoints in anticipation of future DDoS attacks.

This changes the impact of the Supply Chain Risk Management (SCRM) aspect of EO 14028. Yeah, this is the prevent a future SolarWinds plan. Essentially NIST SP 800-218 laid out the requirements with OMB M-22-18 setting the enforcement timeline. M-23-16 adds 3-12 months to the process and removes the attestation requirement for open-source attestation. This alleviates the process at one level but doesn't remove the need to make sure that you're still using the genuine components rather than an "improved" package with "special" features. Note that timing is still tied to the release and approval by OMB of a common form for attestation.

Extensions to OMB mandate deadlines are pretty much standard practice but Software Bills of Material are not very useful if all the software is packed with vulnerabilities because of shoddy development practices.

The extension is reasonable given that the self-attestation form is still in draft form with industry comment through 26 June. Further, even if software vendors cannot meet one or more of the reporting requirements, they can simply submit a PO&M to the government and continue to offer their products for purchase. It is a bit puzzling though that web browsers would be excluded from reporting given their importance and the fact the top browsers are all developed by well-established software vendors.

It is a very good thing to see Apple, Microsoft, Google and others react to increased consumer attention (and in the numerous US state laws) to privacy. The best way for security/privacy to be built into software is for buyers to demand it.

Expect these improvements to arrive with iOS/iPadOS 17, watchOS 10 and macOS 14. Sensitive content warnings as well as more information on requested permissions/data use should help guide users. Note that Apple is working to have default-deny if you click the alert without agreeing to the access. While you can access the Developer Beta of these operating systems now, you may want to test them on your backup devices rather than your daily drivers.

Apple continues to make strides in security and privacy, in many ways leading the industry for mobile devices. My one concern with all these different options is complexity. Helping people use technology safely and securely is my full-time job, and I have a hard time enabling all the security options, which can change year to year. So to make security / privacy effective, Apple has to ensure they make it simple (or default). So far Apple has done a decent job of it, and to be honest I can’t think of any company better prepared to make security simple. However, security is of little value if it’s so complex people don’t use it.

Threat hunting, checking for IOCs, has to be continuous. In the ESG case, there was a red flag for you to not only address the ESG but also check for compromise. The trick is you can't sit back waiting on the next alert that something you have is vulnerable or being exploited, you need to be continuously ingesting IOCs and looking for anomalous behavior.

On the surface, Barracuda’s response to the vulnerability was quick. That said, details from the internal investigation imply the evil-doers had compromised the software months before. That’s plenty of time to target and exfiltrate data from compromised devices. The ACT government now has to conduct a damage assessment as well as plan for replacement of the affected devices.

If you're using MOVEit, do three things immediately. First, apply the patch, second, make sure that you're running a secure configuration, lastly, assume compromise, leveraging the resources on the Progress blog site below to discover unwelcome advances.

By now every organization that uses MOVEit Transfer is well aware of vulnerabilities in the application. Those organizations are left with two things to do: 1) assess for compromise; and, 2) download and install patches as they become available.

This report highlights the risk to organizations from insiders who have malicious intent. An insider threat program can help but it cannot fully eliminate the risk. Bottom line: it’s virtually impossible to protect a company’s intellectual property from employees (to include contractors) who have access.

This is an excellent case study in the importance of protecting IP. Humans remain the weakest link, which is why they are targeted. Keep in mind that adversaries like China think in much longer timeframes than we do in the US, like 10-, 50- or 100-year plans, emphasizing the need to both be vigilant and update/adapt your processes to secure IP and the humans responsible for it.

This DDoS attack and the ‘unanticipated spike in traffic’ affecting Microsoft Azure highlight the importance of frequent communication with your Internet Service Provider. Don’t wait until you’re the victim of a DDoS attack to have a discussion about service responsibilities and recovery. Additionally, the ransomware attack announced by Xplain highlights the importance of encryption, to include proper key management, when data is being hosted by a third-party cloud provider.

Indications are this is the "NoName" pro-Russian hacking group which targets NATO-aligned countries and entities in North America, Ukraine and Europe because Switzerland changed its neutrality stance to send aid to Ukraine. The Swiss are electing not to pay any ransom, instead working their response plan, which means the attacks continue while the impacted agencies are working to discover what was exfiltrated and prevent recurrence. Consider what your plan looks like in this scenario, and watch their progress for any tricks you can leverage.