Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.
Before we get started on this week’s CIW, I’d like to highlight a recent article from our blog surrounding the coming cybersecurity incident reporting requirements for financial institutions. The compliance date is May 1, 2022, so please check it out today!
Away we go!
1. SEC Steps up Cybersecurity Requirements in a Big Way
The landscape for mandatory cybersecurity risk management and incident reporting has been evolving rapidly. In last week’s CIW we talked about a bill that recently passed the Senate to require critical infrastructure companies to report cyber security incidents no later than 72 hours following the incident. We also recently wrote about a new incident reporting requirements for the financial services industry where covered entities must report certain cyber incidents no later than 36 hours after the incident occurs. The incident reporting for financial institutions takes effect May 1, 2022.
This past week brought a proposal from the SEC that steps up cyber incident reporting requirements for public companies. It also incorporates broad cybersecurity risk management and governance practices. In a written statement from SEC Commissioner Caroline Crenshaw, she noted that cybersecurity is one of the biggest challenges that organizations face today and is also one of the “biggest and strategic risks to national security, economic prosperity, and public health and safety.”
This proposal seeks to update and improve upon the original SEC requirements from 2018. The 2018 requirements were somewhat open ended and vague in spots and that has led to inconsistent reporting at the public company level.
The proposed rules would impose several new requirements on SEC registrants to disclose cybersecurity incidents and other material risks. More specifically, the new rules will require SEC registrants to:
- Disclose information about material cybersecurity incidents within four business days after they have determined they have experienced a reportable incident. This will be reported on Form 8-K.
- Provide updates relating to previously disclosed cybersecurity incidents. No more one and done reporting, investors need to understand how these incidents have played out.
- Disclose when “previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”
- Disclose information regarding management’s policies and procedures, if any, for identifying and on-going management of cybersecurity risks.
- Disclose how cybersecurity risks are governed, including the board of directors’ oversight role regarding cybersecurity risks and management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing associated policies, procedures and strategies.
- Disclose the cybersecurity expertise of members of the board of directors.
The proposed rules are emblematic of an overall shift occurring in the mindset of lawmakers in the importance of both government and industry recognizing and addressing cybersecurity risk. As a cybersecurity risk management professional, I truly believe there is a correlation between strong enterprise value and strong cybersecurity controls, and these new proposed laws are indicative of those ideals. Comments on this proposed rule are being accepted until May 9, 2022. This will be an interesting one to watch develop.
2. Hackers in Space Disrupt Satellite Systems and Customers
California based Viasat and Western intelligence agencies are investigating a cyberattack on their satellite systems that have supposedly knocked out internet connectivity and communications for tens of thousands of people across Europe, including the Ukraine. The disruptions started on February 24th, around the same time that Russian forces were invading the Ukraine.
The attack against KA-SAT has reportedly rendered the modems that they communicate with completely inoperable. The attackers apparently accessed the “management section” of the satellite operations and used that to stage their attacks. Viasat has called in Mandiant to perform the investigation.
Photo: KA-SAT satellite coverage area, Wikipedia.com
This cyber-attack is of special interest to various intelligence agencies because Viasat also operates as a defense contractor for the United States as well as many of its allies, in addition to the fact that this is such a broad scale war time cyber operation that affected so many civilians.
While no attributions have been officially made, all signs point back to the Kremlin.
3. Serious Flaw Found in Microsoft’s Azure Automation Service
Yanir Tsarimi, a cloud security researcher at Orca Security found a serious flaw in Microsoft's Azure Automation service that would give out authentication tokens that belonged to other organization’s accounts. This bug was dubbed “AutoWarp” by Orca Security. This flaw allowed for unauthorized access to other Azure customer accounts using the Azure Automation service. Exploitation of this flaw essentially grants full control over resources and data belonging to the successfully targeted account. That’s what we call a pretty big deal.
The access granted by this flaw using the stolen tokens is dependent upon the permissions granted by the legitimate Azure customer, however, the breath and severity of impact was still very severe. According to an Orca Security blog, this bug affected the Azure accounts of a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more.
Microsoft fixed the flaw in December of 2021 and notified customers that were affected by this bug. They also noted in a blog post about the matter that they did not observe any abnormal activity nor have they detected any evidence of misused tokens.
Thanks for reading! Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more point solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about