Healthcare Cybersecurity

HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem

Healthcare providers are increasingly leveraging health information technology to provide virtual healthcare services to patients. Telehealth services allow patients living in rural areas and the elderly to gain access to essential medical services, and the pandemic has seen a major expansion in telehealth to provide virtual healthcare services to patients to reduce the spread of COVID-19.

According to FAIR Health, the number of telehealth claims to private insurers has increased by 4,347% in the past year, with virtual care such as telehealth now one of the fastest growing areas of healthcare. The Centers for Medicare and Medicaid Services has committed to providing long term support for virtual healthcare services and Frost & Sullivan predicts there will be a seven-fold increase in telehealth by 2025.

The major expansion of healthcare services has happened quickly and at a time when the healthcare industry is being targeted by cybercriminals more than ever before. Hackers have been exploiting vulnerabilities with ease to gain access to sensitive healthcare data and disrupt operations for financial gain. A 2020 study by SecurityScorecard and DarkOwl revealed there was a near exponential increase in targeted attacks on telehealth providers as the popularity of telehealth soared.

In order for virtual healthcare services to reach their full potential, it is essential for healthcare industry stakeholders to identify and address the privacy and security risks to healthcare data, which can be a challenge in a complex, connected environment such as healthcare.

This week, the Healthcare and Public Health Sector Coordinating Council (HSCC) has published a white paper that provides guidance for the healthcare industry on identifying cybersecurity vulnerabilities and risks related to the use and management of telehealth and telemedicine.

The new resource, Health Industry Cybersecurity—Securing Telehealth and Telemedicine, was published for the benefit of healthcare systems, clinicians, vendors, service providers, and patients, who together share the responsibility for ensuring telehealth provides the maximum benefit while keeping privacy and security risks to a low and acceptable level.

The document explains the cyber risks associated with telehealth and telemedicine and outlines the regulatory issues that apply to telehealth services, providing audit tools, guidance on policies and procedures, and suggesting best practices to adopt.

The guidance document outlines the policy underpinnings of healthcare cybersecurity, explains regulations and organizational policies, cybersecurity considerations, and includes recommendations for implementing and maintaining telemedicine programs.

“Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem,” explained HSCC. “At a minimum, telehealth systems need to maintain security and privacy consistent with those of all other forms of care.”

Healthcare organizations are encouraged to adopt the best practices suggested in the white paper and implement the recommendations appropriate to their risk profile to improve privacy and security protections to get the optimal benefit from telehealth and telemedicine services.

You can download the HIC-STAT white paper on this link.

The post HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem appeared first on HIPAA Journal.

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks

Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident.

The white paperStrategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks.

Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises, including several government agencies and cybersecurity firms. The U.S. government recently formally attributed cyberattack to the Russian Foreign Intelligence Service (SVR).

Platforms such as SolarWinds Orion are an attractive target for threat actors. They are used by many attractive targets such as large enterprises and government agencies, they have a centralized system that controls multiple subsystems, networks, and products, and they require little interaction, if any, from the controlled system. The system has an undisclosed, unpatched, or unknown opening that attackers can exploit for a degree of administrative control and, if that opening is exploited, the attackers can gain limited or total control of the subsystems it controls.

All of those factors were exploited in the SolarWinds attack and a further four incidents are described in the white paper where similar characteristics were exploited – – The 2003 HP OpenView vulnerability, WannaCry, NotPetya, and the 2021 SAP Solution Manager incident.

Similar cybersecurity incidents are likely to happen time and time again, so it is important for steps to be taken to minimise risk and limit the damage that can be caused. The white paper details the risks involved with enterprise IT systems such as SolarWinds Orion and provides recommendations that can be applied to allow organizations to predict, and hopefully prevent, similar incidents in the future.

Recommendations include signing up with an ISAC to receive timely and actionable threat intelligence, conducting vulnerability scans to identify vulnerabilities, patching promptly, adhering to the principle of least privilege, and implementing a program of continuous verification to ensure that security controls are still effective at blocking threats.

“What is truly needed is close cooperation between governments, the healthcare sector and all critical infrastructure globally via a formal exchange of cyber threat information and combined cyber defenses – to create a truly global approach,” explained Health-ISAC in the white paper. “We urge organizations to use the strategic and tactical issues discussed in this paper as considerations for all trusted systems used, or planning to be used, in your environment.

The post Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups

The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage.

There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia.

The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene services.

Threat actors, believed to be backed by nation states, have expanded their campaigns and are using spear phishing emails to steal credentials of CEOs, global sales officers, purchasing managers, HR officers, heads of plant engineering and others to gain privileged insight into national Advance Market Commitment (AMC) negotiations related to the procurement of vaccines, time tables for distribution, information on the passage of vaccines through nations and territories, export controls and international property rights, World Trade Organization (WTO) trade facilitation agreements, technical vaccine information, and other sensitive data.

The threat group behind this campaign appears to have an in depth understanding of the vaccine cold chain. The emails used in the spear phishing campaign impersonate an executive from the Chinese biomedical company, Haier Biomedical, which is the world’s only complete cold chain provider.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products such as a solar-powered vaccine refrigerator and ice-lined refrigerator from the Haier Biomedical product line. The emails also mention organizations involved in petrochemical production and the manufacturing of solar panels that aligns with those products, and the language used in the email reflects the educational background of the sender that is spoofed in the signature block.

The emails have malicious HTML attachments which are opened locally, with the user requested to provide their credentials to view the file. If credentials are entered, they are captured and exfiltrated to the attackers’ command and control server.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

With vaccine nationalism and global competition related to access to vaccines, attacks that disrupt the cold chain were inevitable. While the researchers have not been able to attribute the campaign to any threat group, there is a strong likelihood that this is a nation state operation.

If the cold chain is disrupted it could result in delays delivering the vaccines or could disrupt the conditions required for safe vaccine transport and storage, which could render the vaccines unsafe or useless. IBM has published Indicators of Compromise in its report to help organizations in the COVID-19 cold chain protect against attacks.

The post COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups appeared first on HIPAA Journal.

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.

The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP.

This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide.

Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare organizations and government agencies two of the top three worst affected sectors. Fortunately, the vulnerabilities are not straightforward to exploit. A malicious packet must be sent in response to a legitimate DNS request, so exploitation would require a man-in-the-middle attack or the use of an exploit for a different vulnerability between the target device and the DNS server. E.g., DNSpooq.

The 9 vulnerabilities are detailed in the table below, along with the products and TCP/IP stacks affected:

Vulnerability CVE Stack Impact CVSS Score
CVE-2016-20009 IPnet Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Remote Code Execution 8.1
CVE-2020-27736 Nucleus NET Denial of Service 6.5
CVE-2020-27737 Nucleus NET Denial of Service 6.5
CVE-2020-27738 Nucleus NET Denial of Service 6.5
CVE-2020-25677 Nucleus NET DNS Cache Poisoning 5.3
CVE-2020-7461 FreeBSD Remote Code Execution 7.7
Awaiting CVE NetX Denial of Service 6.5

The flaws range in severity, with the most serious vulnerabilities rated critical. The vulnerabilities can also be chained. For example, with CVE-2020-27009, an attacker can craft a DNS response packet and write arbitrary data in sensitive parts of the memory. CVE-2020-15795 allows the attacker to craft meaningful code to be injected, and CVE-2021-25667 allows a bypass of DNS query-response matching to deliver the malicious packet to the target.

FreeBSD is also used in pfSense firewalls and network appliances such as Check Point IPSO and McAfee SecurOS. NetX is used in wearable patient monitors such as those manufactured by Welch Allyn. Nucleus NET is used extensively in healthcare devices, including ZOLD defibrillators and ZONARE ultrasound machines. The flaw in FreeBSD is of particular concern as the network stack is used in many embedded devices and millions of higher performance IT servers, including those used by major websites such as Yahoo and Netflix.

The flaws could be used for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive data, or could allow modifications to devices to alter functions and could cause significant damage. Since vulnerable devices are used in heating, ventilation, lighting, and security systems, critical building functions could also be tampered with.

While patches have now been released to correct the flaws, applying those patches may be problematic. Many of the vulnerable affected internet-enabled devices are used to control mission-critical applications that are always running and cannot easily be shut down.

Mitigating NAME:WRECK Vulnerabilities

The first stage is to identify all vulnerable devices. Forescout is developing an open-source script that can be used to fingerprint all vulnerable devices. Devices will not be protected until the patches are applied, so after identifying all vulnerable devices, mitigations should be implemented until the patches can be applied. Those measures should include device and network segmentation, restricting external communication with vulnerable devices, and configuring the devices to run internal DNS servers. Network traffic should also be monitored for malicious packets attempting to exploit the vulnerabilities and other flaws in DNS, mDNS, and DCHP clients.

Patches have been released for FreeBSD, Nucleus NET, and NetX and device manufacturers, including Siemens, have already started releasing patches to correct the flaws in their products.

The post 100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities appeared first on HIPAA Journal.

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

The post Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities appeared first on HIPAA Journal.

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.

The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.

The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.

The levels of maturity for information security are Level 1 (Ad hoc policies); Level 2 (Defined); Level 3 (Consistently Implemented); Level 4 (Managed and Measurable); and Level 5 (Optimized policies). It is necessary to achieve Level 4 for an information security policy to be considered effective.

As of September 30, 2020 the HHS had made progress since the previous audit and had implemented several changes to strengthen the maturity of its enterprise-wise cybersecurity program. There were improvements across all FISMA domains, including increased maturation of data protection and privacy and continuous monitoring of information systems.

However, the HHS was given a “not effective” rating due to the failure to achieve the Level 4 maturity level in any of the 5 functional areas – Identify, Protect, Detect, Respond, and Recover function. The audit revealed there were deficiencies within the Identify, Protect, and Respond functional areas and the maturity level was below Consistently Implemented for some FISMA metric questions, both at the HHS overall and at selected operating divisions (OpDivs), in Contingency Planning.

The HHS achieved Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics but had yet to achieve Managed and Measurable (level 4) in any of the IG FISMA metrics. There was no change in any of the FISMA metrics from the audit in FY19, although the audit revealed progress had been made in several individual IG FISMA metrics, such as consistent implementation of data exfiltration systems, ongoing Authorization to Operate (ATO) monitoring, and configuration management controls. Progress had not been achieved in other areas due to the lack of information security continuous monitoring across the different HHS operating divisions, which is essential for providing reliable data for informing risk management decisions.

Several recommendations were made to strengthen the HHS’ enterprise-wide cybersecurity program. The HHS concurred with 11 of the recommendations and did not concur with 2.

The post HHS OIG: HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments.

Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts.

The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified.

CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in Microsoft Cloud environments, which has now been updated to include instructions on using the Aviary dashboard. The Aviary dashboard is available for download on CISA’s Sparrow GitHub pages.

In order to use the Aviary dashboard, users must ingest Sparrow logs, import Aviary .xml code into the dashboard, point Aviary to Sparrow data using the index and host selection, and review the output.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyberattack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

The post CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments appeared first on HIPAA Journal.