Remember that supply chain attack against SolarWinds in late 2020. Ya, kinda hard to forget! SolarWinds became an attack vector to all of their clients and, in some cases, organizations further down the line.

It looks like there will be some actual accountability in the situation. The SEC has formally charged the SolarWinds corporation and the Chief Information Security Officer (CISO) individually for ”fraud and control failures relating to allegedly known cybersecurity risks and vulnerabilities.”

As part of its IPO in 2018, SolarWinds included only generic and hypothetical cyber security disclosures while, behind the scenes, CISO Timothy Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”

In the 68-page filing, the SEC reveals that SolarWinds claimed to follow the NIST 800-53 security framework in a security statement posted prior to the IPO. However, internal assessments between 2019 and 2021 revealed that SolarWinds had only implemented a small fraction of the standard (6%). By January 2021, the organization had only achieved 40% compliance with 60% of the controls left “completely unmet”.

When news of the breach first broke, SolarWinds’ stock price plummeted leaving many investors holding the bag. By making false claims about their security practices, the suit claims Brown and SolarWinds defrauded investors and deprived them of critical information while making investment decisions. Read the SEC summary notice here

This is in line with the new trend of federal regulatory agencies holding individual executives accountable for misrepresenting cyber security controls. In October of last year the Federal Trade Commission took action against James Cory Rellas, CEO of the alcohol delivery service Drizly, for failing to implement adequate cybersecurity controls despite having been altered to problems with the company’s data security procedures following a previous incident.

These two incidents should be seen as a warning sign that regulatory agencies a taking cybersecurity very seriously. Executive team members actively involved in the governance of cybersecurity policies are being held to account personally. the penalties can be severe and likely career ending for those involved.

This week, President Biden, issued an Executive Order, aimed at developing guardrails for the fast exploding Artificial Intelligence industry. The new EO is very broad and sweeping, addressing a wide swath of issues that have become areas of concern with the use of AI. This includes the danger of the technology to be used to commit fraud, produce dangerous biological materials, exacerbate racial biases and discrimination, and spread misinformation and disinformation. In an industry notorious for keeping its intellectual property tightly under wraps, the Executive Order requires “companies developing any foundation model that poses a serious risk to nation security, national economic security, or the public health and and safety must notify the federal government when training the model, and must share the results of all red-team safety tests.” NIST will be tasked with developing the rigorous standards for extensive red-team testing.

The Executive Order also addresses positive impacts and the ethical side of the use of AI. The order speaks to the use of AI tools to find and fix vulnerabilities in critical software. As part of the their ongoing AI Cyber Challenge, the administration has been critical of the software industry’s lack of focus on security in the development of software. The order also directs the National Security Council to and the White House Chief of Staff to develop a National Security Memorandum that directs the US Military and Intelligence community to “use AI safely, ethically, and effectively in their missions”

Data privacy has been a big issue for many years and AI makes it that much easier to extract, identify and exploit personal data. The Executive Order calls on Congress to pass legislation to protect the personal data of all Americans. This includes commercially available personally identifiable information procured through data brokers. This may lay the groundwork for an American version of GDPR.

The Large Language Models must be trained with vast amounts of data. It has been identified that historical data used to train the model has the danger of propagating discriminatory practices into the future based on the practices of the past. The Executive Order directs agencies to combat algorithmic discrimination. Among other groups, landlords, federal benefits programs, and the criminal justice system are directed to establish best practices to keep AI algorithms from being used to exacerbate discrimination.

The Executive Order also attempts to address the fear that we will all be replaced by robots someday. The recent Screen Writers Guild and Screen Actors Guild strikes highlighted the threat AI presents to the creative community. The order directs industry to develop principles and best practices to mitigate the harms and maximize the benefits of AI for workers. The order will produce a report on AI’s potential labor-market impacts and study and identify options for strengthening federal support for workers facing labor disruptions.

Finally, the order addresses the need to ensure an open, competitive marketplace that maintains the United States’ leadership in the AI space both at home and globally. View the FACT SHEET here

The new FTC Safeguards Rule just went into effect earlier this year, however, one additional requirement has been added to the rule

The new rule, which went into effect June 9th of this year is an evolution of the Gramm-Leach-Bliley Act of 1999. It broadens the definition of a financial institution to include, among others, mortgage brokers, collection agencies, CPAs, car dealerships that lease vehicles to consumers, and mortgage settlement companies. It also provides guidance on specific controls that need to be implemented in order to properly safeguard personal financial information.

The amendment requires non-banking financial institutions to report data breach incidents within 30 days. It applies to incidents that impact 500 or more customers. However, if the data stolen is encrypted the requirement does not apply.

The reporting requirements include the name and contact of the reporting financial institution, a description of the type of information involved, the date and duration of the incident, and the number of consumers affected. It also asks for confirmation of whether law enforcement has advised that public disclosure of the breach could obstruct an investigation or threaten national security.

The amendment is schedule to take effect in April 2024. For More background on the FTC Safeguards Rule see this month's featured blog.

In September of 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released the initial version of its #StopRansomware Guide. This provides ransomware and data extortion prevention best practices and a response checklist. The guide identifies numerous countermeasures to help prevent threat actors from infiltrating organizations and spreading ransomware. It describes many specific examples of tools and techniques that can be implemented base on the common attack vectors used by bad actors.

The 31-page updated version incorporates new information gleaned from research on the latest attack techniques collected by CISA and other security experts over the past three years.

Additional resources are cited throughout the report for more in-depth information on certain topics. Schematic diagrams articulate proper network segmentation techniques to limit the propagation of any ransomware or malware.

Organizations can use the the Ransomware and Data Extortion Response Checklist as part of their Incident Response Plan.

The #StopRansomware Guide is a great resource for MSPs for managing their own internal networks but also an opportunity to discuss the topic with clients and ensure they are protecting themselves at an equal level.

Join us for this free virtual event to learn about the latest use cases, adoption trends, and recommendations for prioritizing your Zero Trust projects and initiatives for 2023. Whether you are new to Zero Trust or an experienced practitioner, this forum is a must-attend event to understand the policies, procedures and technologies required to enable a zero-trust strategy.