DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare

Share

On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.

The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.

Continue reading “DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare”

COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences

Share

As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.

Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.

Continue reading “COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences”

New York’s New Data Breach Notification Law: What Businesses Should Know

Share

New York’s Stop Hacks and Improve Electronic Data Security Act, which went into effect on March 21, places a greater burden on regulated entities in responding to data breaches and expands the enforcement powers of the New York Attorney General’s office. In order to avoid penalties, businesses would be wise to ensure that they are in compliance with the new law.

For the full alert, visit the Faegre Drinker website.

COVID-19 & Cybersecurity: What Companies and Employees Should Know About Remote Working

Share

The spread of COVID-19 has prompted an enormous shift by organizations to the use and implementation of remote working solutions for a wide range and number of employees. Unfortunately – but perhaps not surprisingly – this shift has provided malicious cyber actors with additional ways to infiltrate remote use networks. The spread of COVID-19 has brought with it a huge surge in data security incidents, as hackers look to exploit new organizational vulnerabilities and distracted and overburdened IT security personnel.

Continue reading “COVID-19 & Cybersecurity: What Companies and Employees Should Know About Remote Working”

ED and HHS Issue Updated Joint Guidance Regarding Student Health Records Privacy

Share

On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.

Continue reading “ED and HHS Issue Updated Joint Guidance Regarding Student Health Records Privacy”

Disruptionware II – The “Cyber Terminator” and What This New Threat Means to You and Your Data

Share

We recently published a blog about a very new and emerging threat coined “disruptionware,” now faced by workforces in multiple industries – especially focused on workers employed in government and in the health care sector. As first identified and discussed by the Institute for Critical Infrastructure Technology (ICIT), disruptionware is designed to attack the traditional “CIA Triad,” i.e., the confidentiality, integrity and availability of a user’s systems, networks and data. Disruptionware is an emerging form of malware, with a greater adverse impact than more traditional, standalone ransomware attacks, in that it is designed to actually suspend physical operations within a victim organization. Unlike most cyber-attacks focusing on the “IT” networks in a business, disruptionware directly attacks a company’s “Operational Technology” (OT) environments — in short, it attacks a firm’s physical infrastructure in addition to attacking its networks, systems and/or data.

To understand how disruptionware works, one must understand its basic foundational construction. This graphic, reprinted with permission of ICIT, provides an excellent representation of characteristic disruptionware components:

While ransomware is still the leading “go to” form of disruptionware for many cyberattacks, disruptionware introduces many new cyber-attack soldiers to do its bidding, such as:

  • Wipers – wiper malware maliciously wipes data making it unrecoverable
  • Bricking Capabilities – a PDoS (permanent denial of service attack) malware that renders devices unusable by overwriting portions of the device’s firmware
  • Automated Component Attacks – uses tools such as botnets and other automated components to overwhelm a network with inbound traffic, leading to a destructive denial of service attack
  • Data Exfiltration Tools – tools used by malicious actors to target, copy and transfer sensitive data from one network to another; causes extreme disruption of employer business focus and severely taxes human resources of the victim company
  • Enhanced Network Reconnaissance Tools – tools such as remote access Trojans, key loggers and network-mapping tools that infiltrate and permanently destroy the OT environment of their victims

Many of these tools are designed to do more than just encrypt data in hopes of ransom, but to actually and utterly destroy a user’s systems, networks and data permanently. Due to the ubiquitous and intense nature of these attacks, it is imperative that companies immediately consider, at least to start, hardening their IT and OT networks as much as possible as well as provide social awareness training to their employees to help curtail the spread of disruptionware.

The severe danger of disruptionware attacks on the OT environment of critical infrastructure in places like government institutions and hospitals is that the attacks are tailored to their actual business continuity and physical foundational IT and OT systems. Disruptionware attackers particularly focus on targeting the growing connection (and merging) of IT and industrial control systems (ICS). In doing so, disruptionware is able to heap massive potential damages on organizations that are trying to turn these disparate networks into a single unified system. This threat is highlighted by the huge rise in ransomware attacks alone. According to Cybersecurity Ventures, ransomware attacks are predicted to occur every 11 seconds by 2021, with a cost to victims of over $20 billion, and with global cyber-crime-related damages in 2021 estimated to reach $6 trillion.

There have already been some recently identified disruptionware attacks with losses in the hundreds of millions of dollars, as victim companies were unprepared to defend themselves against the devastating damage caused by these multifaceted attacks. So, the natural next question is why disruptionware is so dangerous despite its lack of advanced “sophistication.” This is because disruptionware:

  • Has a high rate of successful compromise
  • Requires little to no continued adversarial effort
  • Consumes a target’s internal resources very effectively
  • Disrupts daily operations
  • Has the ability to spread down the supply chain, making it very attractive to cyber-villains, from traditional script-kiddies to nation-state threat actors

Disruptionware was initially very successful in taking advantage of remote desktop protocol (RDP) attacks which, until the last few months, were a reasonably unknown attack point of entry. In July 2019 alone, there were over 805,000 systems considered vulnerable to RDP exploits — making those systems targets for additional attacks in the form of disruptionware.

In short, disruptionware provides another major advantage for cyber-criminals. In many of these attacks, the cyber adversary may still maintain access to the system, thus allowing installation of backdoors, remote-access Trojans or other types of dangerous or unknown malware. ICIT has noted that disruptionware could also stem from cloud-based attacks, due to its ability to maintain “persistent synchronization” and could even potentially attack millions of devices attached by the Internet of Things (IoT). Disruptionware may allow a cyber-criminal to take control of (or destroy) smart appliances in private residences, such as smart washers and dryers or smart thermostats.

With the assistance of outside counsel, organizations are well-advised to begin thinking about how to confront these new forms of cybersecurity threats from both a business and technical perspective. There are, in fact, multiple defenses that can combat these new and emerging disruptionware attacks.

We will discuss those defenses in more depth in my next disruptionware blog.

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy