Universal Health Services lost $67m to ransomware attack

UHS was among the first hit with the coordinated ransomware wave that targeted the healthcare sector last year. On September 29 last year, Universal Health Services announced in a press release that due to an IT security incident that took place two days earlier, it had to suspend user access to its IT applications related to operations located in the United States.
In the early hours of September 27, UHS clinicians and staff members took to Reddit to determine if other UHS employees across the country were experiencing similar computer and phone outages.
The thread detailed internet and data center outages, with one employee attributing the incident to a ransomware attack after seeing ransom messages from the Ryuk hacking group displayed on some computer screens.
Upon discovery, the IT team took all systems offline to prevent further propagation. The following day, UHS officials confirmed the event as an IT disruption, before reporting as a malware infection several days later.
The disruption caused by the ransomware attack was immense, considering UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, Universal Health Services also operates in Puerto Rico and the United Kingdom.
UHS said that it immediately implemented extensive IT security protocols and was working with security partners to restore the affected IT services as soon as possible. The incident caused temporary disruption to some clinical and financial operations, forcing acute care and behavioural health facilities to rely on offline documentation efforts to deliver round-the-clock patient care.

CISA Announce Transfer of .gov Top-Level Dommain from US General Services Administration

The Cybersecurity and Infrastructure Security Agency (CISA) announced it will begin overseeing the .gov top-level domain (TLD) in April 2021. CISA is working closely with the U.S. General Services Administration, who currently oversees the TLD, to ensure a seamless transition of daily operations for .gov customers.
“Using .gov and increasing trust that government communications are authentic will improve our collective cybersecurity,” said Eric Goldstein, Executive Assistant Director for CISA’s Cybersecurity Division. “People see a .gov website or email address and know they are interacting with an official, U.S.-based government organization. Using .gov also provides security benefits, like two-factor authentication on the .gov registrar and notifications of DNS changes to administrators, over other TLDs. We’ll endeavor to make the TLD more secure for the American public and harder for malicious actors to impersonate.”
.gov is one of the six original TLDs in the internet’s domain name system (DNS). The TLD is actively used by each branch of the federal government, every state in the nation, hundreds of counties and cities, and many tribes and territories as they serve the public on the internet. The DOTGOV Act of 2020 shifted responsibility for managing .gov to CISA as the nation’s civilian cybersecurity agency.
Because the TLD is central to the availability and integrity of thousands of online services relied upon by millions of users, .gov is critical infrastructure for governments throughout the country and all aspects of its administration have cybersecurity significance. Under the actions required by the Act, CISA will work to increase security and decrease complexity for our government partners.

Police arrest 11 suspects of 'Anonymous Malaysia' hacker group

Eleven men, believed to be part of the "Anonymous Malaysia" hacker group, have been detained following six raids conducted by Malaysian police in Pahang, Johor, Perak and the Klang Valley. The group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
Deputy Inspector-General of Police Acryl Sani Abdullah Sani said the suspects, aged between 22 and 40, were detained following the group's recent threat to hack the government's computer system.
Among those arrested by the Commercial Crime Investigation Department of Malaysian police headquarters, he said, was the administrator of the Anonymous Malaysia Facebook page.
"We will investigate further and ascertain if there are other members of the group," he told reporters after visiting a Covid-19 police roadblock set up at a Selangor toll plaza.
Datuk Seri Acryl Sani said the group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
"We are not ruling out the possibility of 17 websites having been hacked," he added.
It was learnt that the suspects were also responsible for hacking the systems belonging to the Johor and Sabah state governments as well as Malaysia's International Trade and Industry Ministry.

Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS

The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.
CISA encourages users and administrators to consider the benefits of using a protective DNS service and review NSA and CISA’s CSI sheet on Selecting a Protective DNS Service for more information.
Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor may exfiltrate data from a compromised device to a remote host (TA0010).1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.
Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.

GAO report finds DOD's weapons programs lack clear cybersecurity guidelines

DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.
Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.

CISA Issues Emergency Directive for Federal Agencies to Patch Critical Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday.  It also requires agencies who are currently able to do so to collect forensic images. All agencies are also required to search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities.  The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities.  CISA also issued an activity alert to provide additional information and to encourage other public and private sector organizations to take steps to protect their networks.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales.  “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
ED 21-02 reflects CISA’s determination that exploitations that pose an unacceptable risk to the federal civilian executive branch agencies require emergency action.  CISA made this assessment on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.
CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon.  Cloud services such as Microsoft 365 and Azure systems are not known to be affected by this vulnerability.

NSCAI Report presents strategy for winning the artificial intelligence era

The 16 chapters in the National Security Commission on Artificial Intelligence (NSCAI) Main Report provide topline conclusions and recommendations. The accompanying Blueprints for Action outline more detailed steps that the U.S. Government should take to implement the recommendations.
The NSCAI acknowledges how much remains to be discovered about AI and its future applications. Nevertheless, enough is known about AI today to begin with two convictions.
First, the rapidly improving ability of computer systems to solve problems and to perform tasks that would otherwise require human intelligence—and in some instances exceed human performance—is world altering. AI technologies are the most powerful tools in generations for expanding knowledge, increasing prosperity, and enriching the human experience. AI is also the quintessential “dual-use” technology. The ability of a machine to perceive, evaluate, and act more quickly and accurately than a human represents a competitive advantage in any field—civilian or military. AI technologies will be a source of enormous power for the companies and countries that harness them.
Second, AI is expanding the window of vulnerability the United States has already entered. For the first time since World War II, America’s technological predominance—the backbone of its economic and military power—is under threat. China possesses the might, talent, and ambition to surpass the United States as the world’s leader in AI in the next decade if current trends do not change. Simultaneously, AI is deepening the threat posed by cyber attacks and disinformation campaigns that Russia, China, and others are using to infiltrate our society, steal our data, and interfere in our democracy. The limited uses of AI-enabled attacks to date represent the tip of the iceberg. Meanwhile, global crises exemplified by the COVID-19 pandemic and climate change highlight the need to expand our conception of national security and find innovative AI-enabled solutions.
Given these convictions, the Commission concludes that the United States must act now to field AI systems and invest substantially more resources in AI innovation to protect its security, promote its prosperity, and safeguard the future of democracy.
Full report is available at https://reports.nscai.gov/final-report

Decoding public finance for disaster risk reduction and climate investments

The need to increase investments in disaster risk reduction (DRR) and climate change adaptation (CCA) is a well-accepted priority to minimize losses from disaster and climate change. However, there are challenges in articulating how much countries ought to spend, what areas they should prioritize, and which type of measure are more effective in achieving risk and losses reduction.  The absence of baseline information on expenditure trends hampers the analysis of most cost-efficient ways to reduce risk.
One way to gain insights into the current levels of investments is by conducting a review of public expenditure. The goal of such a review and budget tracking is to advise decision-makers on where gaps exist to realign budgets with priorities.
To aid this, some tools and methodologies have been developed to help governments track expenditures. Among these are ‘policy markers’ to conduct risk-sensitive budget reviews, climate and disaster risk management Public Expenditure and Institutional Reviews (PEIR), or longer-term initiatives on climate budget tagging.  Other methods of financial tracking include using national accounting systems and environmental expenditure reviews.
While there have been a few national exercises that have applied these tools and some success stories on institutionalizing budget tagging within performance budgeting and public financial management reforms, most countries in Asia-Pacific and sub-Saharan Africa do not track disaster-related investments and expenditures.
To increase uptake among countries, UNDRR’s Regional Offices for Asia-Pacific and Africa collaborated with UNDP to organize a two-day consultation on 3-4 February that brought together 69 representatives of organizations who have experience in conducting such reviews to exchange lessons and discuss how the methodology could be improved to better link DRR and CCA public expenditures.
“Disaster risk management public expenditure and institutional reviews have emerged as a critical tool for advocating for greater investment in disaster risk reduction and climate change adaptation, especially from the context of results-based decision making,” said Mr. Ronald Jackson, Head of UNDP’s Disaster Risk Reduction and Recovery team.
Where public expenditure reviews have been conducted, they have helped shed a light on current levels of investment, such as a recent review conducted by the UNDRR Regional Office for Africa of 16 African countries found that investments in DRR projects represent only 4% of national budgets on average.
“With the social-economic impacts of the COVID-19 crisis and the ongoing climate emergency, it is becoming increasingly evident that governments need to increase budgetary allocations for disaster risk reduction and climate change adaptation,” commented Mr. Amjad Abbashar, Chief of the UNDRR Regional Office for Africa.
The purpose of budget tracking is not only to ensure proper allocation to line ministries at the central level but also to ensure that local governments receive support that is proportional to the disaster risks and impacts they are facing and their responsibilities to address them.
“In Malawi, we found that only 1% of environmental expenditure was spent at the district level. Yet it is at the district level that many of the environmental and climate resilience challenges exist and need to be addressed,” said Mr. David Smith of the joint UNDP-UNEP Poverty and Environment Initiative for Africa.
Another example is Nepal, which has transitioned to a federal system and devolved responsibilities to the local level, but is allocating only 15% of national appropriations to municipal governments, according to an example highlighted by Ms. Charlotte Benson, Principal Disaster Risk Management Specialist with the Asian Development Bank.
In addition to vertical and horizontal distributions of funds, another aspect of expenditure tracking that countries should consider are “negative expenditures”, which are expenses from risk-blind initiatives that negatively impact the achievement of climate and disaster resilience goals. This was a point echoed by both Mr. Asad Maken, UNDP’s Regional Advisor Governance of Climate Change Finance for the Asia Pacific Region, and Mr. Nohman Ishtiaq, UNDP Advisor to Pakistan’s Ministry of Finance.
Regardless of what methodology is adopted in reviewing, tagging and tracking expenditures, there was a consensus on the need to build the capacity of climate and disaster risk management agencies, in addition to the ministries of finance, to ensure that such coding expenditure and tracking become embedded in routine government processes.
This capacity building is particularly important considering that many of the country examples that were shared - Fiji, Mauritius, Mozambique and Pakistan - highlighted the need to contextualize tracking processes to local circumstances.
Moreover, conducting a budget tagging exercise or a public expenditure review can help developing countries access new streams of financing to implement DRR and CCA plans:
“We work very closely with National Designated Authorities that are ambitious in preparing Green Climate Fund proposals only to find that their lack of knowledge of ongoing climate and disaster-related expenditure is a huge hurdle for them to fill out the proposal,” noted Ms. Shivaranjani Venkatramani, a consultant with Oxford Policy Management, who has supported NDAs in South and Southeast Asia.
More importantly, simply engaging ministries of finance and planning in a budget tracking or public expenditure review can help bring DRR and CCA efforts into “the heart of economic decision making” and “shift climate and disaster resilience away from being an external environmental agenda to a domestic development priority,” according to Mr. Paul Steele Chief Economist at the International Institute for Environment and Development (IIED).
Beyond the benefits of helping governments uncover funding gaps, monitor the effectiveness of spending, facilitate decision making, improve transparency and raise awareness among critical partners, budget tagging and expenditure reviews can be part of a larger approach towards strengthening risk financing and risk-informing development process as a whole.
“Governments should move from a contingent liability approach of public financing to a social risk management approach to reduce unplanned expenditures. It is equally important that we complement public finance tagging and tracking with the required level of political advocacy, such as with the ongoing work on the Task Force on Climate-related Financial Disclosures,” noted Mr. Animesh Kumar, Officer-in-Charge of UNDRR’s Regional Office for Asia and the Pacific.
Developing a good understanding of the budgetary landscape can also help countries develop integrated national financing frameworks (INFF), which are a tool to finance national priorities, including the implementation of national DRR strategies.
At the global level, it was noted that much of what was discussed at the consultation can feed into ongoing global intergovernmental processes related to the 2030 Agenda.
“The timeliness of this workshop is essential in that there are very important global initiatives that are unfolding, and the knowledge unearthed in this conversation can benefit the considerations and deliberations for the implementation of these initiatives,” said Mr. Marco Toscano-Rivalta, Head of UNDRR’s Liaison Office in New York and Chief (designate) of UNDRR’s Regional Office for Asia and the Pacific.
Examples of such initiatives include the Interagency Task Force on Financing for Development and High-Level Meeting on ‘Financing for Development in the Era of COVID-19 and Beyond.’ Mr. Toscano-Rivalta also highlighted the potential role of national supreme auditors in budgetary and expenditure tracking to generate the desired level of accountability and transparency.
As a follow-up to the consultation, the group will consider documenting the methodologies and case studies in the form of a publication and potentially consider an analysis of how DRR and CCA could be imbedded in COVID-19 economic recovery efforts.
[Source: UNDRR]

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP
The European Union Agency for Cybersecurity (ENISA) provides authorities with technical guidance on the 5G Toolbox measure for security requirements in existing 5G standards.
The Agency has released its Security in 5G Specifications Report about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks. As vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.
This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security - mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
More specifically, the report provides:
- A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
- An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
- Summary of key findings and good security practices.
The ENISA report also covers security considerations beyond standards and specifications, such as testing and assurance, product development, network design, configuration and deployment, and operation and management.

WMO boosts regional cooperation in Asia-Pacific

The Typhoon Committee, which symbolizes the successful cooperation between WMO and the United Nations Economic and Social Commission for Asia and the Pacific, holds its 53rd annual session, woth participants from the National Meteorological and Hydrological Services (NMHSs) and national Disaster Risk Reduction (DRR) agencies who will exchange information on achievements of the past session, review activities of the Members, as well as operational and research collaborations, with the clear focus on reducing the number of lives lost and damage to property caused by tropical cyclones and typhoons.
On top of the disruption and catastrophic impacts caused by COVID-19, the Asia-Pacific region was hit by successive hazards in 2020, including tropical cyclones, floods, droughts, sand and dust storms and heatwaves. 23 named tropical cyclones of tropical storm intensity or above formed over the western North Pacific and the South China Sea.
The strongest tropical cyclone of the season was Super Typhoon Goni (2019). It made landfall over northern Philippines on 1 November and caused catastrophic damage. A minimum pressure of 912.1 hPa was reported in Virac and a maximum gust of 198 km/h was reported in Legaspi City. 25 people died and 399 injured, and the social and economic loss was estimated to be over 17 billion Philippines Peso, according to a report from the Philippines national meteorological and hydrological service PAGASA.
Two major tropical cyclones hit the Korean Peninsula within a few days in early September, with Typhoon Maysak making landfall near Busan on 3 September, followed by Haishen on 7 September. Maysak brought 1037 mm of rainfall over two days to a site on Jeju Island, and wind gusts on the island up to 165.6 km/h, with high waves of more than 8 m. The damage costs of Mayask and Haishen reaches over 200 million USD, with a possible recovery cost of 548 million USD, according to a report submitted to the Typhoon Committee by the Korea Meteorological Administration. Both tropical cyclones led to significant flooding on the Korean Peninsula and in western Japan, and 41 lives were lost when a ship sank off western Japan during the passage of Maysak.
Sustainable Development
Although countries across the region have committed to achieving the Sustainable Development Goals (SDGs) by 2030 — to ensure that ‘no one is left behind’ – this will remain a challenge if their populations remain susceptible to disasters that threaten to reverse hard-won progress towards the SDGs.
Building on the success of the Typhoon Committee, WMO continues to work with countries in the region, often in partnership with other United Nations entities, to build greater resilience to natural disasters that wreak a heavy economic and human toll.
In particular, WMO and UNESCAP in 2020 focused on implementing collaborative activities under their Memorandum of Understanding (MoU). These activities highlight the synergistic benefits that are derived from both organisations’ work on building resilience to climate and disaster risks and the promotion of impact-based early warning services and systems.
This MoU was renewed by Ms Armida Salsiah-Alisjahbana, Under-Secretary-General of the United Nations and Executive Secretary of UNESCAP and Prof. Petteri Taalas, Secretary-General of WMO on 21 September 2019 during the UN Climate Summit held in New York, based on their aligned values and objectives and desire to work together in areas of mutual interest.
A Joint Workshop on Strengthening Multi-Hazard Early Warning Systems and Early Actions in Southeast Asia was organized by WMO and hosted by UNESCAP in Bangkok, Thailand from 18 to 20 February 2020. Participants reached a consensus on developing a coordinated Southeast Asia-wide framework for strengthening the hydro-meteorological disaster risk management and capacity development of National Meteorological and Hydrological Services.
The Regional Climate Outlook Fora (RCOFs) have been guided and supported by WMO and its partners to promote collaboration, knowledge and information sharing on seasonal climate prediction and its likely implications for the most impacted socio-economic sectors since the late 1990s. The potential to add further value to the outputs of RCOFs through impact-based products was introduced by UNESCAP during the South Asian Seasonal Climate Outlook Forum (SASCOF), the Forum on Regional Climate Monitoring, Assessment and Prediction for Asia (FOCRAII) and the East Asia winter Climate Outlook Forum (EASCOF).
Looking ahead, with its official membership in the United Nations’ Regional Collaborative Platform in Asia and the South-West Pacific, WMO will build on the achievements of 2020 and further expand regional cooperation in the broader context of sustainable development. In 2021, the partnership will continue its critically important mission to build resilience to climate and disaster risk; and promote the social and economic benefits of impact-based early warning services in the Asia Pacific region. WMO’s longstanding and manifold regional initiatives and capacity development programmes in Asia-Pacific will now be further enhanced.
1 40 41 42 43 44 60