By the CyberWire staff
At a glance.
- FTC seeks information from Big Tech on data collection.
- Cybersecurity at the US state and local levels.
- SolarWinds software supply chain incident updates.
- More industry reaction to the SolarWinds backdoor.
US FTC to collect data on big data collectors.
SeekingAlpha says the FTC plans to investigate data collection activities at Twitter, TikTok, YouTube, Facebook, Discord, Snap, Reddit, and Amazon under its broad power to perform open-ended reviews. The inquiry, which Axios reports will be made official next week, covers “everything major tech companies know about their users and what they do with that data, as well as their broader business plans.” A primary concern is how the platforms’ policies impact children. Among the information to be gathered are records about company strategies and user engagement metrics.
Local and state cybersecurity.
Ransomware attacks on local governments are intensifying, and StateTech says a Public Technology Institute survey of ninety-five IT heads shows US officials aren’t as concerned as they should be. Incident response and recovery policies are weak, as is cybersecurity funding and elected official buy-in. On the bright side, a preponderance of respondents said their locale runs cybersecurity trainings and possesses a recently updated cyber plan.
Though a majority of smaller businesses can’t withstand a successful cyberattack, Security Magazine reports Verizon’s findings that those in the US states of South Dakota, Louisiana, and Alabama are most likely to pull through. Small to medium-sized businesses located in Delaware, Alaska, and Maryland have the highest odds of bankruptcy.
Gust of SolarWinds breach reaches UK?
As we heard yesterday, the SolarWinds breach, which Mail Online says was effected through a malware-compromised software update, could blow through every branch of the US military in addition to the White House and Defense Department. The majority of Fortune 500 companies, including major telecom and financial firms, use SolarWinds, for a total of 300 thousand global clients – though only a small fraction installed the infected update, according to The Telegraph.
London’s National Cyber Security Centre (NCSC) is looking into potential UK casualties like the Defense Ministry, Home Office, Justice Ministry, Cabinet Office, National Health Service, and GCHQ with the help of FireEye, the US cybersecurity firm that discovered the breach. An industry observer commented that the hack, which may have begun eight months ago, “could turn into one of the most impactful espionage campaigns on record.” Potential victims are encouraged to implement FireEye’s recommendations.
Experts suspect Russia’s stealthy Cozy Bear is behind the operation. Business Insider recalls the APT’s many hijinks, including a 2014 attack on the White House, a 2015 attack on the Pentagon and Democratic National Committee, 2016 attacks on think tanks, and 2020 attacks on coronavirus research.
More expert reaction to the SolarWinds supply chain compromise.
We continue to receive comment from private sector experts on the SolarWinds supply chain incident.
Robert Cattanach, a partner at Dorsey & Whitney with experience in cybersecurity and data breaches, privacy and telecommunications, and international regulatory compliance thinks incidents like this call into question the credibility of any claims to data secrecy:
“The compromise of some of our country’s most sensitive public and private entities, presumed to have been executed by Russian attackers, calls into question whether any data can confidently be considered still secret. The attack was audacious in scope, severity, and execution. FireEye and Solar Winds have long been considered the gold standard by public and private cyber experts. The mere fact that their systems were breached, and apparently their most sensitive and potentially dangerous information stolen, without detection until it was too late, means that countless major private and public entities that had been relying on these companies, as well as those sharing information with the compromised federal agencies including especially the Department of Homeland Security, must assess whether any of their data can still truly be considered uncompromised. The sophistication of the hack means that the known victims will be frantically investigating the extent of the compromise, a process which will require months, and which is fraught with uncertainty as forensic experts scramble to recreate the attackers’ point of entry, lateral and vertical movements, and access to highly sensitive information. The targets of the attack will not know with any confidence for several more weeks and possibly months which of their systems was compromised, what immediate steps need to be taken to restore integrity, and what threats might still be lurking. And that is only the beginning. Those entities that had been relying on FireEye and Solar Winds, but which may not know if their systems also have been compromised, will have to take emergency measures to reassess their security posture and make contingency plans for responding to what could be devastating revelations about the ripple effects of the attack.”
Ray Espinoza, Head of Security at Cobalt.io, sees a need for a multi-faceted response:
“The latest cyber espionage campaign is a result of malware that was embedded into a software update that went undiscovered for months. The more we find out, the more security experts are realizing that this could have happened to any organization. When it comes to proposed solutions, or how to avoid a scenario like this, the answers aren’t clear cut. On one hand, we must trust our security vendors to provide secure products continuously through patch updates. On the other hand, we must understand that a vendor’s security product is not infallible. What’s more important is figuring out how to mitigate the risk of any third party product operating in an environment, or having the ability to detect behavior outside of expectations, and limiting the blast-radius of such an event. We know we need vendors to provide certain capabilities, so the priority then becomes evaluating that vendor’s guardrails to determine how they issue secure updates free of malware or backdoors.”
Mark Carrigan, COO at PAS Global, takes the incident as another reason to seek greater visibility. How many enterprises even know their data are accessible through the SolarWinds backdoor?
“Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond.
“You can not secure what you can’t see, so organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. From there, they must further hone in on their inventory by determining the version(s) that are running to evaluate the vulnerability risk that may or may not be present. Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life.”
Pradeep Khurana, managing director of ContinuServe, notes that this issue came to light during a period of transition between two US Administrations, and that such transitional times are usually accompanied by distraction, overwork, and other stressors:
“Recently it was announced that there was a major cyber breach on major US Agencies. During times of transition, like during mergers, carveouts, or changes in leadership there is often an increase in these attacks and they are more likely to succeed. During transitions, like the current Presidential transition, the security team can become distracted. The security teams may be overworked on other issues and the workforce may be vulnerable to phishing attacks. Due to the transition and new staff, it is more likely that phishing attack emails are clicked on than in steady state conditions.”
— Published on December 15, 2020
Published By: The CyberWire