In one look.
- The US SEC refuses to change the disclosure rules.
- Missouri is hiring a security company to help with data breach and identity protection.
- Binding operational directive 22-01.
- Four spyware companies added to US entity list.
The US SEC refuses to change the liability in the consolidated audit trail incident disclosures.
The Securities and Exchange Commission has decided not to accept an amendment proposed by CAT LLC to limit the liability of stock exchanges and self-regulatory bodies connected to the Consolidated Audit Trail (CAT). The amendment proposed that these organizations, Pensions & Investments declared, “shall not be responsible for the loss or corruption of data submitted by a CAT registrant or a CAT reporting agent to the CAT system”. The SEC said it could not conclude that the amendment was “necessary or appropriate in the public interest, for the protection of investors and for the maintenance of fair and orderly markets, for removing barriers and perfecting mechanisms for a national market system, or otherwise in pursuit of the objectives of the Exchange Act. “
Missouri Hires Security Company After Vulnerability Is Discovered In State Websites.
In a move at least temporarily related to the exposure of teachers’ personal information on a state education website, the US state of Missouri has retained Identity Theft Guard Solutions (the “Identity Experts”) for the services Data Breach Correction and Identity Protection, Missouri Lawyers Media Reporting. The problem with the Department of Elementary and Secondary Education website was discovered and responsibly disclosed by the St. Louis Post-Dispatch. Missouri Governor Parson’s reaction to the newspaper’s investigation was to label his work a criminal hack and to call for prosecutions against the Post-Dispatch and its reporter. The call for prosecution was greeted with surprise and skepticism at the time, and the governor’s office did not respond to an investigation into it.
US federal agencies responsible for addressing known and exploited vulnerabilities.
The CISA issued Binding Operational Directive 22-01, which requires U.S. federal civilian agencies other than the CIA and ODNI to address known and exploited vulnerabilities. The directive, which comes with a new catalog of vulnerabilities, will require the agencies concerned to correct nearly three hundred known flaws identified between 2017 and this year. The bugs on the list are rated as a “significant risk to federal business.”
The directive specifies:
- “Within 60 days of posting, agencies must review and update the agency’s internal vulnerability management procedures in accordance with this directive.”
- “Correct each vulnerability according to the timelines specified in the Vulnerability Catalog maintained by CISA.”
- “Report on the status of vulnerabilities listed in the repository.”
Some industry experts have offered a quick reaction to BND 22-01. Saryu Nayyar, CEO of Gurucul, agrees with the focus on fixes and notes that fixes need to be done correctly for them to work as intended:
“Patching software and operating systems should be high on the IT priority list. CISA is stepping in now, asking government agencies to apply all fixes by November 17. Applying patches can be a complicated process, as patches must first be tested in the production environment, but must take priority over less critical activities.
“Too many organizations think that patching software is optional and should not be done immediately. It’s refreshing to see that CISA has listed a full list of known vulnerabilities along with the relevant fixes. Every organization, even those outside of government, should obtain this list and use it to check their own patch programs.
Bill Lawrence, CISA SecurityGate, gives CISA high marks for focus and efficiency:
“CISA continues to impress with its focus on defending government networks and systems by executing the basics of ‘blocking and combating cyber’. It is disappointing that it takes a binding operational directive for US federal departments and agencies to implement critical fixes, but kudos to the CISA for recognizing this problem and using its authorities to enforce action. There was quite a bit of controversy in 2017 with a similar directive for Kaspersky products, but this action is obvious. Let’s see if it migrates quarterly in 2022 rather than annually. “
James Hayes, vice president of global affairs at Tenable, endorsed the focus on patches as an important part of digital hygiene:
“The vast majority of cyber attacks are the result of poor IT hygiene. The Binding Operational Directive (BOD) announced by the CISA and the Joint Cybersecurity Defense Collaborative intelligently focuses efforts on obtaining the foundation necessary to better protect federal systems against cybercrime. This effort establishes inventories of commonly exploitable vulnerabilities and forces agencies to address them in a timely manner. Improving collective defense efforts between government and industry will strengthen our national cybersecurity posture. “
And YouAttest CEO Garret Grajek believes the directive is a service to the security community as a whole:
“CISA’s Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, is a great service to the security community. The fact that the far-reaching document includes products from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM and others shows how far the problem goes. And also how to approach only the individual components, while necessary, is a losing game. The fact that vulnerabilities exist in virtually any resource implies for security personnel that a comprehensive methodology must be in place to mitigate an attack that could originate from anywhere.
“The new commonly accepted methodology is Zero Trust – where each ‘leg’ of the system must confirm the identity of the requesting party. In a zero trust system, identities and requests for information must be constantly validated at every stage of the process. The attestation of identity to guarantee the principle of least privilege PR.AC-6 is also imperative in a zero-trust system.
The US Department of Commerce sanctions four suppliers of interception tools.
The US Department of Commerce has sanctioned four companies for providing spyware to foreign governments. NSO Group and Candiru (both based in Israel) were added to the list of entities, as were Positive Technologies (a Russian company) and Computer Security Initiative Consultancy PTE (headquartered in Singapore).
Of the two Israeli companies, Commerce said they “were added to the list of entities based on evidence that these entities developed and provided spyware to foreign governments who used the tools to maliciously target. government officials, journalists, businessmen, activists, academics and embassy workers. These tools have also enabled foreign governments to carry out transnational repression, which is the practice of authoritarian governments targeting dissidents , journalists and activists outside their sovereign borders to silence dissent Such practices threaten the rules-based international order.
Positive Technologies and Computer Security Initiative Consultancy were placed on the entity list after, Commerce said, “a determination that they are trafficking computer tools used to gain unauthorized access to information systems, threatening confidentiality and the safety of individuals and organizations around the world “.
The sanctions, Commerce explains, represent a movement in favor of human rights. “This effort aims to improve the digital security of citizens, combat cyber threats and mitigate illegal surveillance and follows a recent interim final rule issued by the Commerce Department establishing controls on export, re-export or transfer to the country of certain items that can be used for malicious cyber activities, ”the ministry said in its announcement.