Cyber Intelligence Weekly (Aug 1, 2021): Our Take on Three Things You Need to Know
Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the Future of Cybersecurity!
You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.
Away we go!
1. President Biden Issues Memorandum on Critical Infrastructure Cybersecurity
On July 28th, President Joe Biden issued a national security memorandum focused on improving critical infrastructure control system cybersecurity. The memo directs the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop benchmarks for entities that manage the country’s critical infrastructure.
With the majority of the nation’s infrastructure under the control of private entities rather than public, this push for baseline standards nationwide is much needed.
The memorandum has a few major goals that it is trying to achieve.
- Establish an Industrial Control Systems “Cybersecurity Initiative”. This is meant to be a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems and promote and facilitate the use of technologies and systems to help protect these systems.
- Establish a means for Federal Government to work with industry to share threat information for priority control system critical infrastructure throughout the country.
- Kick-off a pilot effort with the Electricity Subsector that will be followed by a similar effort for natural gas pipelines. The memo also states that the efforts for the Water and Wastewater Sector Systems and Chemical Sector will follow later this year.
- Establish baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems. The Secretary of Homeland Security is to issue preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by the issuance of final cross-sector control system goals within 1 year.
2. Top FBI Official Advises Legislators Against Banning Ransomware Payments
Recently, legislators at the federal and state level have been considering enacting laws to ban the payment of ransomware. In fact, several states have begun to introduce such legislation. Well intentioned politicians believe that if they ban the payments, the threat actors will stop their attacks. Unfortunately, most security experts believe this will just create a lack of reporting the incidents and will drive us further backwards in coordinated efforts against ransomware.
Recently, FBI Cyber Division assistant director Bryan Vorndran did just the opposite of what these states are trying to accomplish and advised members of the Senate Judiciary Committee against the idea of banning organizations from paying the threat actors behind ransomware attacks.
There are several reasons for this, chief among them are:
- The threat actors not only tend to encrypt an organization's data, but they also steal it and threaten to release it publicly if the ransom demands are not met.
- If companies are legally not allowed to pay ransom demands, it will disincentivize them to report incidents.
- If paying ransom demands is deemed illegal, companies may decide to take the risk and do so anyway because they have no choice or use intermediaries (which is commonplace currently). This opens them up to blackmail and further extortion from the threat actors for paying the ransom.
There is consensus in this conversation around the need for mandatory breach reporting, both on the public and private fronts. Sharing information about these ransomware attacks is critical to the on-going fight against them.
One thing is for sure, there is no easy answer here.
3. Search Engine for Hackable Websites Returns, Pandora’s Box for Web Vulns?
At Defcon this week, two hackers (Alejandro Caceres and Jason Hopper) are re-launching their previously popular tool, PunkSpider, after being on hiatus for years. PunkSpider crawls the internet for vulnerabilities in websites around the world and serves them up like a Google for pwn’able websites. PunkSpider will surf every website on the world-wide-web for several top common vulnerabilities and it will even do fuzzing. The site then categories and indexes the data and provides a database that is searchable by URL.
Many are worried that this tool will be used more for evil than for good. However, the creators of the tool have good intentions and hope that making these vulnerabilities public will cause the owners of the websites to react and fix their buggy coding.
Will this be a Pandora's Box that will make it easier for threat actors to find and exploit vulnerable websites? Only time will tell.