The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

In the latest update of "Secure by Design”, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted the critical importance of integrating security practices into basic services for software manufacturers. The paper highlights a notable concern: the imposition of an "SSO tax" where essential security features like Single Sign-On (SSO) are bundled as premium services, potentially hindering their adoption among Small and Medium-sized Businesses (SMBs).

Implementing Single Sign-On (SSO) into Small and Medium-sized Businesses (SMBs)

SSO simplifies access management by allowing users to authenticate once and gain access to multiple applications—a crucial feature for enhancing security postures across organizations. However, its adoption faces significant hurdles, primarily due to cost implications and perceived operational complexities. One of the primary challenges identified by CISA is pricing SSO capabilities as add-ons rather than including them in the base service. This "SSO tax" not only inflates costs but also creates a barrier for SMBs looking to bolster their security frameworks without incurring substantial expenses. By advocating for SSO to be a fundamental component of software packages, CISA aims to democratize access to essential security measures, positioning them as a customer right rather than a premium feature. Beyond financial considerations, the adoption of SSO is also influenced by varying perceptions among SMBs. While some view it as a critical enhancement to their security infrastructure, others question its cost-effectiveness and operational benefits. Addressing these concerns requires clearer communication on how SSO can streamline operations and improve overall security posture, thereby aligning perceived expenses with tangible returns on investment.

Improving User Experience and Support

Technical proficiency poses another hurdle. Despite vendors providing training materials, SMBs often face challenges in effectively deploying and maintaining SSO solutions. The complexity involved in integrating SSO into existing systems and the adequacy of support resources provided by vendors are critical factors influencing adoption rates. Streamlining deployment processes and enhancing support mechanisms can mitigate these challenges, making SSO more accessible and manageable for SMBs with limited technical resources. Moreover, the user experience with SSO implementation plays a pivotal role. Feedback from SMBs indicates discrepancies in the accuracy and comprehensiveness of support materials, necessitating multiple interactions with customer support—a time-consuming process for resource-constrained businesses. Simplifying user interfaces, refining support documentation, and offering responsive customer service are essential to improving the adoption experience and reducing operational friction. In light of these updates, there is a clear call to action for software manufacturers. Aligning with the principles of Secure by Design, manufacturers should integrate SSO into their core service offerings, thereby enhancing accessibility and affordability for SMBs. By addressing economic barriers, improving user interfaces, and providing robust technical support, manufacturers can foster a more conducive environment for SSO adoption among SMBs.

CISA has released the new version of the SAFECOM Guidelines. This exclusive guideline talks about the Emergency Communications Grants in cooperation with SAFECOM and NCSWIC. The new version aims to give the correct information to businesses globally. The National Council of Statewide Interoperability Coordinators (NCSWIC) and the Cybersecurity and Infrastructure Security Agency (CISA) work closely together to develop and maintain the SAFECOM Guidelines. According to the guidelines, the collaboration between the agencies goes into great detail about financial requirements, eligibility requirements, and technical requirements.

The New CISA SAFECOM Guidelines

The new SAFECOM guidelines help state, local, tribal, and territory governments secure federal money for crucial emergency communications projects is its main goal. Billy Bob Brown, Jr., Executive Assistant Director for Emergency Communications at CISA, stated: "The SAFECOM Guidance on Emergency Communications Grants is an essential resource that supports our collective efforts to strengthen the resilience and interoperability of emergency communications nationwide."  The guidance aims to provide a seamless experience to governments and agencies while also receiving new updates every year. These updates include new developments in technology and online risk management. It guarantees that grantees have access to the most recent guidelines and specifications required to construct reliable, safe, and compatible communication networks. By adhering to these standards, recipients can maximize government funding by ensuring that investments align with both national and community interests. "Incorporating SAFECOM Guidance into project planning not only enhances funding prospects but also strengthens the overall emergency response capabilities of our communities," Brown said. The document encourages stakeholders to adopt best practices in the planning, organizing, and execution of emergency communications projects to foster a uniform strategy across all governmental levels and public safety groups.

SAFECOM and Federal Agencies

Federal organizations such as the Office of Management and Budget and the Department of Homeland Security have acknowledged the SAFECOM Guidance as a vital resource since its establishment.  Grant candidates are encouraged to utilize the SAFECOM Guidance to ensure that their projects are in line with state, local, tribal, or territorial emergency communications strategies. To address the diverse needs of public safety organizations and communities, the research places a strong emphasis on the integration of new technologies, cybersecurity measures, and interoperable communication systems. Through the SAFECOM website, CISA offers resources and information on comprehending federal grant criteria to further assist stakeholders. The team is still dedicated to helping applicants create thorough plans that both satisfy funding requirements and improve emergency infrastructure's overall resilience.

The Advanced Research Projects Agency for Health (ARPA-H) has appointed Chris Pashley as its Chief Information Security Officer (CISO). Pashley, formerly the Deputy Chief Information Security Officer at the Cybersecurity and Infrastructure Security Agency (CISA), announced his new role through a LinkedIn post. ARPA-H, part of the U.S. Department of Health and Human Services, is dedicated to tackling the most challenging problems in health through innovative research programs grounded in urgency, excellence, and honesty. The agency aims to accelerate breakthroughs that enable every American to realize their full health potential, transforming the seemingly impossible into the possible and the actual. [caption id="attachment_78081" align="aligncenter" width="838"] Source: Chris Pashley's LinkedIn Post[/caption] Pashley’s appointment comes at a crucial time for ARPA-H as it seeks to develop and launch an agency-wide initiative to implement strong cybersecurity measures. His extensive experience and proven track record in cybersecurity make him an ideal fit for this pivotal role.

Chris Pashley's Background and Experience

Before joining ARPA-H, Pashley played a key role at CISA, where he supported efforts to strengthen the agency’s internal cybersecurity program. He worked closely with CISA’s CISO and Chief Information Officer to enhance the agency’s cybersecurity posture, ensuring that its systems and data were well-protected against the ever-evolving landscape of cyber threats. Prior to his tenure at CISA, Pashley led the Cyber Threat Intelligence (CTI) team within the Security Operations Division at U.S. Customs and Border Protection (CBP). In this capacity, he focused on establishing the foundational elements of the CTI team, including its vision, mission, structure, and performance management. He also improved the team’s integration with and support to CBP’s Security Operations Center (SOC), providing senior leadership with critical updates on cyber threat activity. Pashley’s move to the government sector in 2017 was preceded by a nearly seven-year stint at Booz Allen Hamilton, where he served as an associate. His work there laid the groundwork for his subsequent roles in government cybersecurity, equipping him with the skills and experience needed to navigate the complex and high-stakes environment of federal cybersecurity operations. Pashley’s expertise will be instrumental in developing and implementing comprehensive cybersecurity measures across ARPA-H. His approach will likely involve a combination of proactive threat intelligence, rigorous security protocols, and continuous monitoring to protect the agency’s digital assets. .With his extensive background in cybersecurity and proven leadership, Pashley is well-equipped to guide ARPA-H in protecting its vital research and operations. As the agency continues to push the boundaries of health innovation, robust strong cybersecurity measures will be crucial in ensuring the success and integrity of its groundbreaking work.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified numerous vulnerabilities in traditional virtual private network (VPN) solutions that have been exploited in recent high-profile cyber attacks, leading the agency to recommend that organizations adopt new approaches to network access security. CISA has urged businesses to switch to modern approaches like Secure Access Service Edge (SASE) and Secure Service Edge (SSE) to integrate enhanced identity verification, adaptive access controls, and cloud-delivered security. This move would help advance their way on their zero trust journey.

Vulnerabilities in Traditional VPN Systems

CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include:

• Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection.
• The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks.

Compromised user devices connected via VPNs also introduce risks from poor cyber hygiene. And third-party vendors granted VPN access may lack sufficient network segmentation controls and least privilege protections. While some VPNs can enforce firewall policies, not all provide the identity-based adaptive access controls central to zero trust. Software-based VPNs also carry inherent vulnerabilities lacking in hardware-based solutions.

Modern Solutions to Network Access Security

Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a joint effort to enhance election security and public confidence, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Election Assistance Commission (EAC) have released a comprehensive guide titled “Enhancing Election Security Through Public Communications.” This guide on election security is designed for state, local, tribal, and territorial election officials who play a critical role as the primary sources of official election information.

Why Communication is Important in Election Security

Open and transparent communication with the American public is essential to maintaining trust in the electoral process. State and local election officials are on the front lines, engaging with the public and the media on numerous election-related topics. These range from election dates and deadlines to voter registration, candidate filings, voting locations, election worker recruitment, security measures, and the publication of results. The new guide aims to provide these officials with a strong framework and practical tools to develop and implement an effective, year-round communications plan. “The ability for election officials to be transparent about the elections process and communicate quickly and effectively with the American people is crucial for building and maintaining their trust in the security and integrity of our elections process,” stated CISA Senior Advisor Cait Conley. The election security guide offers practical advice on how to tailor communication plans to the specific needs and resources of different jurisdictions. It includes worksheets to help officials develop core components of their communication strategies. This approach recognizes the diverse nature of election administration across the United States, where varying local contexts require customized solutions. EAC Chairman Ben Hovland, Vice Chair Donald Palmer, Commissioner Thomas Hicks, and Commissioner Christy McCormick collectively emphasized the critical role of election officials as trusted sources of information. “This resource supports election officials to successfully deliver accurate communication to voters with the critical information they need before and after Election Day,” they said. Effective and transparent communication not only aids voters in casting their ballots but also helps instill confidence in the security and accuracy of the election results.

How Tailored Communication Enhances Election Security

The release of this guide on election security comes at a crucial time when trust in the electoral process is increasingly under scrutiny. In recent years, the rise of misinformation and cyber threats has posed significant challenges to the integrity of elections worldwide. By equipping election officials with the tools to communicate effectively and transparently, CISA and the EAC are taking proactive steps to safeguard the democratic process. One of the strengths of this guide is its emphasis on tailoring communication strategies to the unique needs of different jurisdictions. This is a pragmatic approach that acknowledges the diverse landscape of election administration in the U.S. It recognizes that a one-size-fits-all solution is not feasible and that local context matters significantly in how information is disseminated and received. Furthermore, the guide’s focus on year-round communication is a noteworthy aspect. Election security is not just a concern during election cycles but is a continuous process that requires ongoing vigilance and engagement with the public. By encouraging a year-round communication plan, the guide promotes sustained efforts to build and maintain public trust. However, while the guide is a step in the right direction, its effectiveness will largely depend on the implementation by election officials at all levels. Adequate training and resources must be provided to ensure that officials can effectively utilize the tools and strategies outlined in the guide. Additionally, there needs to be a concerted effort to address potential barriers to effective communication, such as limited funding or technological challenges in certain jurisdictions.

To Wrap UP

The “Enhancing Election Security Through Public Communications” guide by CISA and the EAC is a timely and necessary resource for election officials across the United States. As election officials begin to implement the strategies outlined in the guide, it is imperative that they receive the support and resources needed to overcome any challenges. Ultimately, the success of this initiative will hinge on the ability of election officials to engage with the public in a clear, accurate, and transparent manner, thereby reinforcing the security and integrity of the election process.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.