Tag: agency | Page 2

Top US Cyber Agency Pushing Toward First Hack Reporting Rule

October 20, 2023/in Computer Security

A new US notification requirement for victims of malicious hacks could push in-house counsel to disclose cyberattacks when faced with ransomware and other network compromises.

Among the first-ever cyber regulations to be enforced by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the top US cyber authority, the proposed rules would require companies in 16 critical infrastructure sectors—including healthcare, energy, and finance—to report security incidents within three days and ransomware payments in 24 hours.

CISA’s proposed rule is part of a US effort to shore up defenses against the increasingly disruptive attacks of cyber criminals and nation-backed hacking groups, while simultaneously streamlining overlapping and inconsistent breach-notification reporting requirements across sectors. The rule would nudge companies toward new hiring and staff retraining, and push general counsel toward more active cybersecurity responsibilities.

The Biden administration set December 2025 as the deadline for the final rule, which was mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

“One glaring challenge has been our cyber incident reporting system, which has recently been revealed as a bureaucratic maze,” said Jackie Singh, a consultant who was a senior cybersecurity staffer in the Biden campaign. “With over 50 disparate reporting channels scattered across numerous government entities, this broken system represents a potential Achilles’ heel. Agility is key to withstand cyber threats in a resilient manner; convoluted reporting structures don’t fit into what we commonly think of as ‘agile.’”

Companies only compound cyber threats when they delay reporting information that could protect other companies or national security, Singh said.

The agency’s new rule is designed to encourage greater visibility into cyber incidents with security implications beyond a single company, so information submitted in the breach reports is guaranteed certain protections.

Chief among those: local, state, and federal governments can’t use the information in the reports to regulate a company providing notice, unless…

Source…

India’s cyber security agency CERT-In warns of ‘multiple vulnerabilities’ in Google Chrome | Indiablooms

October 13, 2023/in Computer Security

New Delhi: CERT-In Thursday released a high-severity alert about “multiple vulnerabilities” discovered in the widely used web browser Google Chrome, media report said.

Indian Computer Emergency Response Team (CERT-In) said that these vulnerabilities have the potential to enable a remote attacker to execute arbitrary code and induce a denial-of-service situation on the targeted system.

CERT-In is the national nodal agency for responding to computer security incidents as and when they strike.

According to a vulnerability advisory issued on Wednesday by CERT-In, a remote attacker could potentially exploit specific vulnerabilities by sending a specially crafted request to the targeted system. Users are advised to “implement appropriate updates as provided by the vendor.”

In technical terms, the affected software includes “Google Chrome versions prior to 118.0.5993.70/.71 for Windows” and “Google Chrome versions prior to 118.0.5993.70 for Mac and Linux”.

“Multiple vulnerabilities have been reported in Google Chrome which could allow a remote attacker to execute arbitrary code and cause denial of Services (DoS) condition on the targeted system,” CERT-In said on its website, which lists and updates users with vulnerability notes and advisories.

Source…

Medusa ransomware compromises Philippines’ universal healthcare agency

September 27, 2023/in Internet Security

The Philippine Health Insurance Corporation, which manages the country’s universal healthcare system, had its websites and portals disrupted by a Medusa ransomware attack last week, from which it is struggling to recover, reports The Record, a news site by cybersecurity firm Recorded Future.

Impacted systems, including Health Care Institution member portals and e-claims, have been immediately shut down following the discovery of the incident on Sept. 22, said PhilHealth President and CEO Emmanuel Ledesma.

“Affected systems shall be restored at the soonest possible time after the completion of the needed configuration and reinforcement of existing information security measures. We are working to restore these systems on Monday, September 25, 2023,” noted PhilHealth.

Such an attack was admitted by the Medusa ransomware operation a day after its discovery, with the group demanding $300,000 for the deletion of all stolen data and another $100,000 for the extension of the payment deadline. No information regarding the exfiltrated data was provided by Medusa.

Source…

UK Cyber Security Agency to Law Firms: You Are Hacking Targets

June 28, 2023/in Computer Security

UK law firms are attractive targets for cyber criminals because of the large sums of money and highly sensitive information they handle, according to the National Cyber Security Centre.

Firms are also vulnerable in more novel ways due to remote or hybrid workplace setups stemming from COVID-19 lockdowns, the agency said in updated guidance published last week. Remote employees are more likely to connect to unsecured, noncorporate routers. Cyber threat tactics have also become more sophisticated, the report said.

The organization is “increasingly seeing ‘hackers-for-hire’ who earn money through commissions to carry out malicious cyber activities for third party clients, often involving the theft of information to gain the upper hand in business dealings or legal disputes,” it said.

Phishing emails to employees is among the top ways hackers attack law firms’ information. The NCSC reported that 79% of all cyber attacks were phishing attempts.

The report recommended maintaining strong company governance to minimize the risk of cyber threats as well as investing in training for all staff members to improve security culture.

The updated guidance is a “timely intervention,” said Lubna Shuja, president of the Law Society serving England and Wales. The initial report was published in 2018.

Last week, Bloomberg Law reported that US firm Bryan Cave Leighton Paisner was hit by a cyberattack that compromised client data.

In April, Proskauer Rose confirmed that its clients’ data, including sensitive financial information, had been exposed to hackers.

Goodwin Procter and Jones Day data was exposed through a breach at tech provider Accellion, now known as Kiteworks, in 2021. The firms acknowledged that the breach had left confidential client data exposed.

The American Bar Association said in 2020 that nearly 30% of U.S. law firms reported a security breach.

Source…

Tag Archive for: agency