Back in March 2019, I wrote an ICYMI article that examined cyber security-related items that might have been slightly under the radar and in my opinion warranted additional exposure.  Since it is now six months later, I think it’s time to revisit recent items that you may have missed.

Massive Open Online Courses (MOOC)

At the beginning of each Performance Management cycle, we would establish professional development plans for myself and each member of my team. Given that I had a limited security department budget, I always looked for cost-effective ways to provide training opportunities.

In one instance, I wanted my entire team to get up to speed on industrial control system (ICS) security. I was able to negotiate a bulk rate for my team to access online, self-paced ICS training that included professional certification. But to my initial point, I am a big fan of MOOCs for providing free training opportunities on a wide range of topics including cybersecurity. MOOCs are offered by universities, taught by faculty, and freely available. I recently ran across a website that has a number of free courses including but not limited to Cryptography, Risk Management, Software Security, Hardware Security, etc.

The other attractive aspect of MOOCs is the variety of available topics. For example, if a member of my team was weak in general report writing, we would find a related MOOC course that could be taken to improve writing skills. Even prestigious universities such as Harvard offers free access to video-taped lectures. Whatever your training and educational needs might be, MOOCs are a great option.

RiskBased Security Issued a Report Entitled “Cyber Risk Analytics – 2019 Midyear Quick Review Data Breach Report"

The report is available for access on RiskBased.  The brief, fourteen-page report is well worth perusing for a glimpse into data breaches which according to the report, “2019 on track to being the “worst year on record” for breach activity”.  Compared to 2018, “the number of reported breaches was up 54% and the number of exposed records was up 52%.” 

Supermicro Server Vulnerability

A new Supermicro server security vulnerability was discovered by Eclypsium researchers. The flaw was found in three generations of Supermicro motherboards that could allow for remote hijacking.

The flaw involves remote administrator management for general maintenance and updates via the baseboard management controller (BMC). The issue is that BMCs are typically left open to the internet to allow remote maintenance, and, as Eclypsium found, these interfaces are not very secure. Supermicro has issued a fix for the BCM/IPMI interface, but in the interim, blocking TCP Port 623 will minimize exposure until the fix is applied.

By scanning the internet, Eclypsium found 47,339 TCP 623-exposed BMCs around the world. CISOs may want to ensure their cloud service providers have addressed this issue if they use Supermicro servers.

IBM Mainframes 

Over the years, news of the mainframe’s demise has been greatly exaggerated. For some large and complex applications, mainframes can be the perfect platform. IBM’s new Z15 mainframe platform provides a private and secure environment. Security and privacy protections make more business sense than ever since January 2019 when the European Union and the United States Federal Trade Commission levied huge fines against Equifax ($575M), Facebook ($5B), British Airways ($230M), Google ($57M), and Marriott ($123M).

IBM’s Z14 platform encrypted everything on the mainframe that did not result in performance degradation. The Z15 goes a step further by including “a whole host of data-centric privacy controls, under the umbrella of IBM’s Data Privacy Passports solution. These include new Trusted Data Objects (TDO), which provides protections that move with data wherever it goes- to an x86 server, a PC, tablet, phone, or IoT mid-point.”

With the Z15, IBM endeavors to extend its future relevance into the secure hybrid cloud. 

Electric Grid Firewalls

From the “when will we ever learn” file: on September 4, 2019, the North American Reliability Corporation (NERC) issued a report about a March 2019 incident where internet-facing firewalls experienced repeated 5-minute outages over a 10-hour period.

The firewalls were situated between an electric operator’s control center and multiple remote generation sites and between equipment on these sites. Displaying a classic Denial of Service (DoS) type attack, the investigation found that the outages were due to repeated reboots of the firewalls at each of the sites.  The firewall vendor had released a firmware update designed to address the exploited vulnerability prior to the event, but the operator had not deployed the update across the environment.

Ransomeware Lessons Learned

In late June 2019, Lake City, Florida fell victim to a ransomware attack and payed the perpetrators close to $500,000.00 to recover from the attack. In the aftermath of the attack, the city fired their IT director, Brian A. Hawkins. According to a New York Times article, Mr. Hawkins is filing a lawsuit against the city alleging that he had warned the city about the vulnerability and the need to invest in an expensive, cloud-based backup system. 

An August 2019 Baltimore Sun article noted that two senior IT managers (one of whom served as acting IT director) have been replaced while the city continues to recover from a ransomware attack. The May 2019 ransomware attack rendered some of the city’s computer systems offline for three months and losses are expected to end up somewhere in the realm of $18 million, including in new equipment, contractor support, and delayed revenues. 

The bottom line is that there needs to be a formal risk management program that includes whether risks are mitigated, transferred or accepted. In cases where risks are accepted, there needs to be documented identification of responsible party or parties accepting the risk(s). I have been in situations where backup systems were deemed to be too expensive and thus, we were vulnerable.

Obviously, ransomware attacks are on the rise and highly publicized.  My concern is that IT officials may be unfairly scapegoated for these attacks. Officials above their pay-grade have been warned but are often making detrimental decisions that could compromise the effects of these attacks, as in the case of Mr. Hawkins in Lake City, Florida.

Share This Article

  

CISOBox Demo

See how CISOBox can help you with incident response handling, including graphs, analytics, and communication coordination.

Higher Education Case Study

Wondering if CISOBox is right for your organization? Read about Case Western University and the impact CISOBox had for them.