Eliana Willis

The DHS’s Transportation Security Administration (TSA) has unveiled a new security directive forcing owners and operators of important pipelines to put more stringent cybersecurity protections in place.

more coverage

This is the organization’s second security directive and it applies to all TSA-designated critical pipelines that transport hazardous liquids and natural gas.The move comes two months after cyber attackers were able to cripple Colonial Pipeline for about a week, leaving millions along the East Coast of the US scrambling for gas. Colonial had repeatedly postponed a cybersecurity review by the TSA before they were attacked by a ransomware group in May. They ended up paying close to $5 million to the DarkSide ransomware group in order to decrypt their systems. Secretary of Homeland Security Alejandro Mayorkas said the latest security directive would help DHS ensure that “the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats and better protect our national and economic security.””The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” Mayorkas said. ”Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”CISA worked with the TSA on the guidelines and informed the pipeline industry of the cybersecurity threat landscape. They provided technical countermeasures designed to stop the current slate of threats, according to a statement from DHS. 

The directive specifically mentions ransomware attacks and lists actions pipelines should take to protect themselves. It also orders pipeline operators to “develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”The first directive was issued in May after the attack on Colonial and orders pipelines to report any confirmed or potential cyberattacks, have a designated cybersecurity coordinator on call 24/7, review security practices and look for security gaps. Pipelines were ordered to do all of this and report the results back to TSA and CISA within 30 days. Those who ignored the orders faced potential fines.While DHS did not release a detailed list of what was required in the latest security directive, the Washington Post reported that all pipeline operators need to create contingency plans and ways they could recover from an attack. A DHS spokesperson told the newspaper that the directive had “security sensitive information” and would only be distributed to a limited group of people. Bloomberg News, which first reported that the second security directive was coming, noted that some pipeline operators have balked at some of what is in the directives, including rules that covered password updates, Microsoft macros, and programmable logic controllers.There has been considerable debate among experts and lawmakers as pressure grows on the government to hold private sector companies accountable for cybersecurity lapses. Colonial Pipeline and many other pipeline operators ignored cybersecurity reviews by the TSA before the ransomware attack that sparked outrage for weeks. In conjunction with the DHS directive, CISA released an alert on Tuesday about a spearphishing and intrusion campaign targeting pipelines that were conducted by state-sponsored Chinese actors from December 2011 to 2013.Of the 23 attacks on gas pipeline operators discovered by the FBI at the time, 13 were confirmed compromises, three were near misses, and eight had an unknown depth of intrusion, according to CISA.”CISA and the FBI urge owners and operators of Energy Sector and other critical infrastructure networks to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this advisory, which include implementing network segmentation between IT and industrial control system/operational technology networks,” CISA said in the alert. “CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft.” More

The Security Training Scholarship Program will be expanding thanks to the success of its inaugural year and a pledge of support from Google, Facebook and Bloomberg.The multi-stage security training program — run by Women in Cybersecurity (WiCys) and the SANS Institute — is designed to help women advance their careers in cybersecurity by learning fundamental cybersecurity concepts and skills. The end goal of the program is to get participants employed in cybersecurity within the next 1.5 years.Google originally teamed up with WiCys and the SANS Institute last year to create the program as a way to address the lack of female representation in the cybersecurity industry. Participants took part in interactive challenges like Capture the Flag (CTF) and the SANS CyberStart Game while also covering topics ranging from forensics and web attacks to programming and Linux. The program gave each participant a mentor that guided them through all of the program’s stages. After graduating, the top participants are given access to SANS foundational security training courses. On top of getting the participants employed in cybersecurity, the program’s goal is to create a powerful network of women in cybersecurity that can help others join the industry down the line. More than 30% of students were able to find employment in direct information security roles before the program ended.

According to Lynn Dohm, executive director of WiCyS, the program’s participants lauded it for providing them with a strong network of support where they can ask questions, share best practices and get insight from both SANS security experts and Google security team members. “You cannot put a price tag on the power of community, and last year’s WiCyS Security Training Program proved just that,” Dohm said. The program’s first year was a smashing success, with 112 people receiving training-based scholarships and 15 people receiving full scholarships.Participants took part in training that included CyberStart Game and SANS BootUp CTF, the SANS SEC275 Foundations & Exam, SANS 401 Security Essentials Bootcamp and GSEC.There were also elective courses on SANS SEC504/GCIH, SEC488/GCLD, SEC560/GPEN, and SEC548/GWAPT. 

In total, 24 certifications were earned, and there was a 100% pass rate, with the average score on the GSEC being 90%. The organizations also noted that since 2013, just two people have ever scored a 99% on GIAC Certified Incident Handler, one of which was a WiCyS Scholarship recipient. All of the participants who received full scholarships said they intended to spend at least 15 years in the information security field. Elizabeth Beattie participated in the program and said she was also awarded a scholarship to attend the WiCyS 2021 conference in September. In addition to attending the conference, she will be co-authoring a panel with other participants in the program. “And the crowning achievement? Tonight, I passed my first GIAC certification (GSEC)!” Beattie said. More than 900 people applied for the program in the program’s first year, and 445 participated in the first round. From there, 116 made it to the CyberStart game, and 15 received full scholarships to an Academy for advanced training and certification.With the added support of Facebook and Bloomberg, the Security Trainings Scholarship Program will be expanded to reach even more women. Dohm said they were thrilled to scale the program this year thanks to the scholarships from Google, Bloomberg, and Facebook. “Now, more WiCyS members will be able to dive deep and change the trajectory of their career in less than a year, all within a cohort setting with extensive support and resources provided by mentors and colleagues,” Dohm said. “That’s what empowerment looks like, and we are thrilled that these three incredible strategic partners of WiCyS can make this happen for not only the WiCyS community but also for the sake of the cybersecurity workforce at large.” The application process began on July 8 and will be open through August 2, 2021. Applications can be found on the WiCyS website. The program starts with the SANS Beginner-level Capture the Flag before moving to an interactive, gamified learning platform through a CyberStart game. The next stage involves the SANS CyberTalent assessment, which allows evaluators to measure a person’s “technical aptitude for cybersecurity learning and fundamental skills.””As the program advances, participants will engage in multiple training opportunities, where participants will be progressively narrowed down to a final 38 members who receive advanced technical training to launch and/or advance their careers,” WiCyS explained. “Newcomers and career changers are welcome to participate in this program, which spans up to 9 months for those who take part in all its stages.”Those chosen will then be invited to take part in the SEC275/Foundations course + GFACT certification exam, and the final round will involve more SANS training courses.  More

Systemd, the Linux system and service manager that has largely replaced init as the master Linux startup and control program, has always had its critics. Now, with Qualys’s discovery of a new systemd security bug, systemd will have fewer friends. Successful exploitation of this newest vulnerability enables any unprivileged user to cause a denial of service via a kernel panic.  In a phrase, “that’s bad, that’s really bad.”

As Bharat Jogi, Qualys’s senior manager of Vulnerabilities and Signatures, wrote, “Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately.” You can say that again.  Systemd is used in almost all modern Linux distributions. This particular security hole arrived in the systemd code in April 2015.  It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash.  That’s the bad news. The good news is that Red Hat Product Security and systemd’s developers have immediately patched the hole.  There’s no way to remedy this problem. While it’s not present in all current Linux distros, you’ll find it in most distros such as the Debian 10 (Buster) and its relatives like Ubuntu and Mint. Therefore, you must, if you value keeping your computers working, patch your version of systemd as soon as possible. You’ll be glad you did. Related Stories: More

Over 60% of Android apps contain security vulnerabilities, with the average number of bugs per-app totaling a whopping 39 vulnerabilities. These figures are based on data presented by Atlas VPN, and data based on a report by CyRC, which analyzed the security of open-source software components of 3,335 free and paid mobile applications on the Google Play store as of Q1 2021.

The report makes sobering reading because it highlights the huge problems that Android users face when it comes to securing their smartphones.And it’s not just free apps and games. The problems are across the board and affect apps such as banking and payment apps.Must read: Don’t make this common, fatal iPhone or Android mistakePredictably, the category of top-free games was the worst, where 96% were found to contain vulnerable components. Following closely behind were top-grossing games and top-paid games.Share of Android applications with at least one known vulnerability, by app category (Q1 2021)Atlas VPN×2021-07-20-15-29-20.jpgAnd some of these bugs are old.

“All in all, 3,137 unique vulnerabilities were found in Q1 2021 that appeared more than 82,000 times across Android apps,” the report states. “A total of 73% of vulnerabilities had been first disclosed more than two years ago. However, they were still present in Android apps in the first quarter of this year.”While it’s easy to focus on games, educational, banking, and productivity apps are also a toxic hellstew of vulnerabilities. What makes it worse is that most of these bugs are fixable, if the developers cared to do an audit.”Educational apps had the highest number of exploitable Android vulnerabilities with possible fixes as of the first quarter of 2021– 43 percent. Meanwhile, productivity and banking apps occupied the second and third spots in the list. They contained 41 percent and 39 percent of such vulnerabilities, respectively.”Is this a problem? Yes, says Atlas VPN, which says that “given that the Google Play store applications have been downloaded millions of times, it is safe to say they pose significant security risks to Android users.” More

Google Cloud on Tuesday is introducing a range of new security products, for both its private and public sector customers, as they look to respond to the quickly-evolving threat landscape. The new public sector tools will help agencies comply with President Joe Biden’s cybersecurity executive order. Meanwhile, other Google Cloud customers will have access to more automated security operations, as well new threat detection capabilities powered by Palo Alto Networks technology. 

The new products follow a series of dramatic cybersecurity incidents, including the Colonial Pipeline ransomware attack that shut down gas and oil deliveries throughout the southeast, the SolarWinds software supply chain attack and an extensive hack on Microsoft Exchange servers. For CSOs, however, there’s no room to breathe easy.  “If anything, the attack surface is going to get worse,” Sunil Potti, Google Cloud VP and GM of cloud security, said to reporters last week.Rather than “build products that fix problems with other products,” he said, Google has focused on building “invisible security” into the cloud. “Invisible security is about making security simple,” Potti said. “When you embrace GCP security, you’re not just getting a safer environment, but you’re simplifying your overall operations.”To that end, Google Cloud is introducing Autonomic Security Operations, a turnkey offering that the company is bringing to the managed security services market in partnership with BT. The service provides access to products, integrations, blueprints, technical content and an accelerator program to helps customers emulate a best-in-class Security Operations Center (SOC). 
Google
Google is also introducing Cloud IDS, a cloud-native, managed Intrusion Detection System that leverages Palo Alto Networks technology to help customers detect malware, spyware, command-and-control attacks and other network-based threats. Cloud IDS should be particularly important for industry with compliance requirements that mandate the use of an IDS, such as financial services, retail and healthcare. 

The new offering makes it easier to deploy and manage network threat detection, and it provides visibility into traffic flowing into the cloud, as well as traffic between workloads. To respond to threats detected by Cloud IDS, customers can create custom remediation workflows within Google Cloud. The data Cloud IDS generates can be integrated into SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) solutions. At public preview, Cloud IDS will integrate with Splunk Cloud Platform, Splunk Enterprise Platform, Exabeam Advanced Analytics, The Devo Platform, and Palo Alto Networks Cortex XSOAR. It should also soon integrate with Google Cloud’s Chronicle and Security Command Center. Meanwhile, Google is stepping up the capabilities in Chronicle, its cloud-native security analytics platform, by integrating it with Google’s analytics platforms Looker and BigQuery. Among other things, this will allow customers to use newly-embedded dashboards, driven by Looker, in five content categories: Chronicle security overview, data ingestion and health, IOC matches, rule detections and user sign-in data. Google is also expanding the availability of its Risk Protection Program to all Google Cloud customers in public preview. The program helps customers connect with Google’s insurer partners, Allianz Global Corporate & Specialty (AGCS) and Munich Re, who designed a specialized cyber insurance policy for Google Cloud customers. For the public sector, Google has a series of new services that will help organizations maintain compliance with the cybersecurity executive order President Biden signed in early May. The executive order comes down to a few simple goals, Mike Daniels, Google Cloud’s public sector VP, said: “accelerating the journey to a zero-trust architecture, solid cyber analytics along with diagnosis, and an ability to rapidly recover.”To aid in that effort, Google is introducing a new Zero Trust Assessment and Planning offering, delivered via Google Cloud’s professional services organization (PSO). Google’s PSO team will help organizations assess their most pressing threats based on their IT landscape and create a roadmap to zero-trust security that considers factors like budget limitations and legacy technology. “Most of the time, zero trust is something that everyone wants to get to, but no one knows where to begin,” Daniels said. Next, Google Cloud is introducing Secure Application Access Anywhere, a new, container-based service for secure application access and monitoring. Google’s PSO team provides the service in partnership with Palo Alto Networks. It gives customers access to Google Cloud’s Anthos to deploy and manage containers that provide secure access and monitoring for applications, in cloud or on-premise environments. Lasty, the new Active Cyber Threat Detection service helps government organizations quickly determine if they may have been compromised by cyberattacks that they have not yet detected. It will help them quickly analyze history and current log data, leveraging capabilities from Google’s Chronicle. It will be delivered via Google Cloud partner Fishtech CYDERES. More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

IBM said it is adding tools to its FlashSystem portfolio of all-flash arrays to better recover from ransomware and cyberattacks. It’s no secret that ransomware is a huge scourge to multiple organizations. To that end, IBM launched IBM Safeguarded Copy for the IBM FlashSystem storage systems. Safeguarded Copy automatically creates data copies that are security isolated within the systems and cannot be accessed. These snapshots are available in the event of a data breach or cyberattack that disrupts operation. In theory, IBM’s approach can help companies and understaffed government groups to recover faster. Key items about IBM Safeguarded Copy, which is based on technology from IBM’s DS8000 storage portfolio:Storage admins can schedule automatic snapshots. Snapshots are put into safeguarded pools on the storage system. Data in this safeguarded pool is only actionable after it has been recovered. Safeguarded Copy can also be used to extract and restore data to diagnose production issues as well as validate copies. IBM Safeguarded Copy can be integrated with IBM Security QRadar platform for security monitoring. QRadar will be able to monitor for attacks and proactively trigger Safeguarded Copy to create backups.In addition, IBM said it will launch its IBM Storage as a Service for hybrid cloud storage with availability in North America and Europe in September. Customers will be able to scale up storage capacity with variable pricing. IBM Storage as a Service is part of Big Blue’s Flexible Infrastructure offerings.   More