Change Healthcare Estimates Breach Costs; More Patches from Ivanti; LabHost Phishing-as-Service Shutdown

Not to excuse Change Healthcare's failure to maintain essential security hygiene levels but the UnitedHealth quarterly report points out that the $872 million charge for bad security decisions is dwarfed by the $7B charge against earnings due to losses on sale of their Brazilian operations and currency losses. The key to getting buy-in for change is not just pointing out incident costs, it is showing how low the cost of avoiding incidents can be.

Two concerns for Change Healthcare: 1) the estimate is likely low given the probability of pending lawsuits; and 2) potential regulatory action given vendor consolidation that results in single points of failure in this critical infrastructure sector. Both concerns should be addressed by the board.

After tireless work for a decade on grappling with cybersecurity issues in healthcare, it just turns out that if you have billions of dollars in losses in healthcare, people start to pay attention. Who knew that ransomware would force the issue such that your MRI machine running Windows XP is no longer acceptable?

A detailed write-up of the vulnerability, including an exploit, has been published. Expect that this vulnerability is already widely exploited, and exposed Avalanche systems should be considered compromised at this point.

MDMs are a hot target these days, and Ivanti Avalanche (MobileIron) is no exception. The possible exploits also include DOS and executing arbitrary commands as SYSTEM. The CVSS scores on the vulnerabilities range from 4.3 to 9.8, the easy button here is update to 6.4.3. Before you run off and click install on 6.4.3, make sure you have the MSSQL credentials, they are not stored, and you'll need to provide them to the installer.

Not only should all applications be considered compromised, all devices managed by them should be considered compromised.

I know the idea of commoditizing an attack platform seems wild, but that is exactly what this was Phishing-as-a-Service. Don't assume this was a unicorn; this takedown involved law enforcement from nineteen countries, which is amazing by itself, and also gives a sense of what's needed to take down other such services. So, celebrate the takedown, but don't yet pump the brake on user-awareness training or implementing technical measures to help users make good choices.

Cyber-crime has changed over the years and now many aspects have been commoditized as part of a global criminal operations. While we celebrate this law enforcement takedown, another service will pop up as the potential pay-out continues to be lucrative. One must ask, would these cybercrime services continue if a ransom payment became illegal?

It looks like Octapharma is a victim of the BlackSuit ransomware, deployed after an infiltration of their VMware servers. While Frontier is claiming services are restored, customers are finding they are still offline. Resist the temptation to declare systems are online without validation, as hard as it is to get back on your feet, those still not having service will not appreciate that.

Chainalysis pegged global ransomware payouts at $1.1B in 2023. While neither company has confirmed that it was a ransomware attack, safe money is on just that. No time like the present for every CSO/CRO/CISO/CIO to revisit their disaster recovery plans with a focus on vulnerability and configuration management processes. The bad guys will continue to target companies, as the potential payout is just too great.

These attackers are pulling every trick in the book to anonymize or obfuscate their origin, and they are not targeting specific organizations. Don't review the blog from Talos and relax when your technology is not listed. Instead make sure that your Internet-facing services are on current, supported, updated software and hardware and that you're following security best practices. Make sure you're only exposing necessary services to the Internet. Beyond making sure that you've got MFA enabled, particularly on Internet facing services, make sure that your account (and MFA) reset services are sufficiently resistant to social engineering.

It turns out that weak passwords are still a problem. I really do blame VPN software vendors for making the problem very difficult to solve. It's very easy to create a VPN login with a username and password, but it is extremely difficult to add any other types of authentication to it. If the industry can fix that problem, then we may see these attacks dwindle.

For an attack to be efficient, not only must it be cheaper than the value of success, it must also be cheaper than all the alternatives. To date so called social engineering has been the most efficient attack. Has anything changed?

In addition to updating to the latest version of OpenMetadata, make sure that you are not using default credentials and strong authentication. Make sure to leverage available container security products. Don't set yourself up for the conversation about why available security capabilities were not used or turned off.

The Microsoft team is again coming in with these pretty interesting attacks happening in Kubernetes. Like Kubeflow, this is another one where it's just easier to open up the dashboard than concern myself with authentication. This means attackers will run and take advantage once they realize what you have done.

We are all getting smarter on AI, particularly with LLMs, and starting in a private cloud or on-premises deployment is a low-risk option you should be leveraging. These guidelines are the droids you've been looking for. Make sure the deployment environment is sufficiently hardened, current, and only connected to what it needs. Protect your model, make sure users are trained, and cross-check with humans while you're all learning. Monitor it as you would any other high value system, and double (triple?) check the risks around decisions to integrate AI into your automation solutions.

Prefer curated, application specific, training data. Test thoroughly and continuously. Build in governance and transparency from the ground up. Caution users that they are responsible for all the properties of any results.

While the guidelines are specific to AI systems, the security best practices contained therein are applicable to any application deployment. The same cybersecurity guidance (CIS Critical Security Controls, ISO 27001, NIST CSF, etc.) used to protect your environment today is still applicable. The only difference when it comes to AI systems is an increased focused on data integrity.