OTX Partners

OTX Roundtable GRC News

July 2024

Microsoft Delays Release of Copilot Recall amid Security Concerns

Last month we reported that Microsoft had gathered significant feedback regarding the announcement of its Recall feature to be imbedded in its new line of Microsoft Copilot+ PCs. The feature tracks every move a user make on their PC. Recall allows them to retrieve any action they have taken should they forget where they were when they executed the action.

All data is stored locally, not the cloud. However security experts immediately identified several security concerns. The data stored locally was not encrypted and could easily be accessed by someone with access to the PC. Additionally, Recall was enabled by default requiring users to change the settings to disable it. Last Month Microsoft acknowledged the issues and promised fixes in time for the June 18 launch date.

However, last week Microsoft released its Copilot+ PCs without the Recall feature. Instead Microsoft has decided to release the feature to members of the “Windows Insider” community for testing. This is a common approach taken by Microsoft prior to releasing a product to the general public. At this time there is no projected date for the release to the Windows Insider community.

United States Commerce Department Bans Kaspersky Software in the US

Not long ago Congress passed a law requiring TikTok to divest completely from its Chinese owned parent company ByteDance within six months or risk a ban in the United States. That situation is currently headed to court.

In a similar move the US Department of Commerce’s Bureau of Industry and Security (BIS) has issued a ban of use of Kaspersky Software within the US citing its ties to the Russian government. As of July 20, US customers will no longer be able to purchase Kaspersky Software. On September 29, existing users will no longer receive software updates and AV signatures rendering it ineffective. According to the DoC BIS they “found that the company’s continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations—that could not be addressed through mitigation measures short of a total prohibition.” In 2017 the Department of Homeland Security issued a directive requiring all federal agencies to remove all Kaspersky branded products.

MSPs implementing Kaspersky products as part of their security stack have until September 29th to replace them or risk leaving their clients vulnerable.

Center for Internet Security Releases Version 8.1 of CIS Controls

The Center for Internet Security (CIS) released its latest version of their cybersecurity framework on June 25. The new version is an iteration of Version 8.0 providing more clarity and granularity to the controls and safeguards. There are no new controls or safeguards however the new version includes more clarity in terms of what compliance means.

CIS 8.1 also aligns with the recently released NIST 2.0 Cybersecurity Framework with it remapping of safeguards to the new Governance function included in NIST CSF 2.0. It also expands the asset classes included in the Identify function to provide a much more granular approach to asset management. For example, enterprise assets are broken out by type such as, end-user devices, servers, IoT devices, and network devices. Portable and mobile devices are broken out as subsets of end-user devices. Software assets are also broken out with services, libraries, and APIs as subsets of both the applications and operating systems class. this will lead to a much deeper scrutiny of the technical environment within organizations.

The new controls can be download now free of charge at the CIS website.

Auto Dealerships Crippled Nationwide Due to CDK Breach

Two weeks ago many car dealerships opened for business only to find all of their systems were inaccessible. Those dealerships who relied on CDK automotive software were effectively out of business. CDK cloud services had suffered a major attack from threat actors. As the company attempted to restore operations another attack crippled the company a second time. As of this writing CDK is claiming that most of its operations are now fully functional.

this incident brings to light several issues facing businesses today. The dealerships them selves were not directly responsible for the security and maintenance of the cloud services they were using. that is CDK’s responsibility. However, most auto dealerships came under the FTC Safeguards Rule last year due to the fact that they process consumer leases for vehicles. These include requirements to safeguard the data as well as reporting the potential theft of Personally Identifiable Information to FTC with a certain timeframe. Here’s the rub: the dealerships have little to no control over the storage and security of the data in CDK’s system. They also would have no visibility as to whether the data was actually stolen or simply encrypted. Early indications are that CDK will handle all reporting requirements to the FTC for the dealerships.

As one would expect, given the immense financial impact this has created for the dealerships, the lawsuits are already flying. More details will emerge over the coming weeks but it is clear that CDK’s Incident Response Plan, if there was and adequate one, did not include any confirmation of eradication or containment before attempting to restore operations. Dealerships themselves, required to have an Incident Response Plan under the FTC Rule, will be taking the lessons learned to heart.

Dealerships will also be faced with the age old question, is it better to have all of our eggs in one basket with a fully integrated system or segment business operations among multiple systems?

Featured Recorded Event

LinkedIn Live

The Business of Cybersecurity: Beyond Nerdspeak

Mark Jennings(OTX), Reg Harnish (OrbitalFire), and Kyle Christensen (Empath), discuss how MSPs can address cybersecurity in multiple ways.

AI has been the buzz for several years now. When OpenAI unleashed ChatGPT on the public in late 2022, it went from being a murmur to an all-out roar. Since then all of the major tech companies like Microsoft, Google, Meta, and Apple have released their own flavor of AI. There has been a lot of discourse about whether AI should be regulated or even that AI will be the end of us all.

Let's put all of that aside for a minute and look at the some of the power that AI holds and how it can be used for both good and bad. Like all technology, AI can be abused and used for nefarious purposes. When it comes to cybersecurity this is even more true.

On the positive side AI is being used to improve the overall security of software by analyzing code and looking for weaknesses. The can help developers correct problems within their product. AI is increasingly being used to originate codes as well. This can lead to more secure code in some cases. However at the recent Infosecurity Europe 2024 Conference Lucas von Stockhausen Lucas, executive director for application security engineering at Synopsys, discussed the fact that large language model (LLM)-based tools have a tendency to reuse vulnerable or improperly written code, just as they sometimes provide incorrect information or hallucinations…

Read More…

Next OTX Roundtable Meeting

July 10, 2024

1:00 PM ET

Virtual

OTX Partners LLC

OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here

 © 2024 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.