SEC updates cybersecurity rules, Microsoft battles hackers, Citrix NetScaler vulnerability actively targeted
By John Bruggeman, virtual Chief Information Security Officer
SEC updates cybersecurity rules for publicly traded companies??
On July 26, the U.S. Security and Exchange Commission (SEC) released its final rule on cybersecurity risk management, strategy, governance, and incident disclosure. The topic getting the most press is that publicly traded companies now have four business days to disclose “material” cybersecurity incidents. Those incidents must be reported on form 8-K to the SEC.
This will not affect companies in Canada that are not regulated by the SEC, but I do expect the Canadian Securities Administrators to move in a similar direction given the global nature of cybersecurity risk.
Publicly traded companies also must have a cyber-risk management program and strategy. The SEC stated:
“The Commission noted the Division of Corporation Finance staff’s experience that most registrants disclosing a cybersecurity incident do not describe their cybersecurity risk oversight or any related policies and procedures, even though companies typically address significant risks by developing risk management systems that often include written policies and procedures.” -??Final rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Many publicly traded companies do not have good cybersecurity policies, clear cyber-risk management, or a strategy. OnX Canada has ample experience in this area and can be a strategic partner.
Companies also must describe their cyber-risk governance, such as the company’s governance of cybersecurity risks as it relates to its board’s oversight of cybersecurity risk.
What board committee or subcommittee is responsible for oversight and the process by which they are informed about cyber risks? What is management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures, and strategies?
The clock is ticking for all publicly traded companies. These new rules come into effect after December 18 for the incident disclosure requirement. Disclosures for risk management, strategy, and governance would be effective for all registrants for fiscal years ending on or after December 15, 2023.
What to do?
If your company is publicly traded and you are governed by the SEC, OnX?can help develop a cybersecurity reporting program, cybersecurity risk management program, and a governance program. OnX has the expertise to help build what you need to meet these new regulations and requirements.
Microsoft battles for the keys to the kingdom
On July 11, Microsoft disclosed that a threat actor linked to the Chinese government had acquired a Microsoft private encryption key and forged tokens that allowed the Chinese government to access Exchange Online, Teams, OneDrive, and SharePoint files of those the bad actors wanted to target.
Microsoft attributed this spying activity to the APT group called Storm 0558. Microsoft doesn’t know how they acquired the key, but Storm 0558 then created authentication tokens that would allow them to read any e-mail or access any file on SharePoint or OneDrive as if they were the targeted user. With this key, there was no need for the password or MFA token and nothing else was needed to gain access to the account.
Essentially, Storm 0558 had unrestricted access—a skeleton key—to the victims’ e-mail accounts and related O365 services. That is bad, very bad, and it gave this APT group nearly effortless access to some U.S. government accounts that had unclassified information.
Here is a short section of the explanation from Microsoft:
领英推荐
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident—including the actor-acquired MSA signing key—have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
In addition to Microsoft revoking the key, they have given all O365 customers free access to logs that detect this kind of suspicious activity (they used to charge for this access).
Make sure your security team knows what to look for in the O365 logs and start checking for unusual login activity and other indicators of compromise. Details on how to do this can be found in this posting from Microsoft.
What to do?
This is an opportunity to explore and reinforce your security program, the team you have in place to monitor suspicious activity in your network—in O365 if you use it—or your other SaaS applications. You can also take advantage of the free tools Microsoft is offering because of this incident.
OnX?has a team that can monitor O365 for unusual or abnormal logins and alert you to this kind of attack. This is where a security operations center (SOC) and managed network security services can be an extension of your security team.
Citrix NetScaler vulnerability is actively exploited
On July 18, Citrix released a patch to address a remote code execution (RCE) vulnerability that allowed threat actors to drop a webshell on NetScaler appliances. Once the threat actor had access to the NetScaler, they tried to move laterally in the victim’s network but were blocked due to proper network segmentation. The vulnerability was first discovered in June and reported to Citrix who then released the patch in July.
This is a considerable risk for large organizations that use the NetScaler product as the web frontend for their Citrix farms. There are other tools from F5 and Radware that can mitigate this risk and, in some cases, replace the NetScaler front end completely.
The Cybersecurity Infrastructure and Security Agency (CISA) released a detailed report about this on July 20 that includes the MITRE ATT&CK tactics and techniques to help organizations detect this threat actor. You can read the details here.
What to do?
If you have the NetScaler product deployed, then at a minimum you want to make sure that the Citrix patch has been applied. ?If not, determine if your team?needs help getting it patched. OnX?has a very successful Patching-as-a-Service offering that is deployed to multiple hospitals and covers over 60,000 endpoints every month.
About the author
John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO.