ICYMI, on Wednesday, January 6, 2021, the United States Department of Justice (DOJ) issued an update about what it termed “a major incident under the Federal Information Security Modernization Act”: the global SolarWinds cyberattack that had compromised its email system. (SolarWinds is a software provider. In December, 2020, SolarWinds revealed that cybercriminals had injected malware into its Orion® Platform software, a platform used for centralized IT monitoring and management. In doing so, the cybercriminals were able to attack subsequent users of the software, i.e., SolarWinds’ clients, including multiple federal agencies and technology contractors.) The DOJ’s update advised that after removing the malware, it determined that 3 percent of the DOJ’s O365 mailboxes were potentially accessed, albeit there was no indication that any classified systems were impacted. This update was covered by Robinson+Cole’s Data Privacy + Cybersecurity Insider.

Cyber-crime continues to permeate all industries, including real estate development and construction. The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Digital attacks can intercept sensitive information, divert funds and hold hostage a company’s computer systems. Robinson+Cole’s Construction Group is available to discuss the value of adding data privacy and cybersecurity protocols to design and construction agreements, and its Data Privacy + Security Team is available to assist businesses in determining their current risks and liability exposure as well as the benefits of having cyber-liability insurance coverage.

This post was authored by Virginia Trunkes and is also being shared on our Construction Law Zone blog. If you’re interested in getting updates on current developments and recent trends in all areas of construction law, we invite you to subscribe to the blog.

Binary Check Ad Blocker Security News

The National Security Agency (NSA) issued a Cybersecurity Advisory on October 20, 2020, entitled “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities,” alerting IT professionals to 25 vulnerabilities that Chinese state-sponsored hackers are using against U.S. businesses that “can be exploited to gain initial access to victim networks using products that are directly accessible from the internet and act as gateways to internal networks.” The Advisory is designed to share information with security professionals to urge them to update systems to protect against the attacks.

According to the notice, “[W]e hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”

The 25 vulnerabilities can be accessed here:

The Advisory further provides general mitigation steps that companies can employ:

  • “Keep systems and products updated and patched as soon as possible after patches are released.
  • Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
  • Disable external management capabilities and set up an out-of-band management network.
  • Block obsolete or unused protocols at the network edge and disable them in device configurations.
  • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
  • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.”

The vulnerabilities are listed in detail in the Advisory and companies may wish to confirm that all of the vulnerabilities listed have been patched on their systems.

Binary Check Ad Blocker Security News

Secureworks issues an annual Incident Response Report that is very helpful in obtaining information on what types of incidents are occurring in order to become more resistant to threats. The 2020 IR Report was recently issued, and it contained some conclusions that made sense, while others were surprising.

The Report, entitled Pandemic-Driven Change: The Effect of COVID-19 on Incident Response, recognized that the pandemic has changed the way business is done “with organizations shifting to home-office work styles literally overnight.” Although there was a general assumption that with the transition from work in the office to work from home security incidents would increase, the Secureworks team found that the threat level was unchanged. What changed was the increase in new vulnerabilities that threat attackers took advantage of during the pandemic. According to the Report, “Infrastructure transformed practically overnight for many organizations. A sudden switch to remote work, increased use of cloud services, and increased reliance on personal devices created a significantly expanded attack surface for many enterprises. Facing an urgent need for business continuity, most companies did not have time to put all the necessary protocols, processes, and controls in place.”

In shifting rapidly from the office to workers’ homes, IT professionals were unable to strategize and implement necessary security controls because organizations did not plan for a totally remote workforce. The Report found that companies experienced increased risk in the following areas:

  • Lack of Multi-Factor Authentication
  • Access to SaaS Applications
  • VPN Split Tunneling
  • Security Monitoring and Access Control Implications
  • Delays in Security Patching

Additional increased risks outlined in the Report included allowing remote workers to use their personal devices without implementing a Bring Your Own Device (BYOD) program, and heightened risk due to staffing changes.

These risk factors are not new, they have just become more pronounced during the pandemic. Threat actors used old tactics in a new environment to attack victims. According to the Report, “[A]dversaries simply pivoted their tactics to launch COVID19-themed campaigns, exploit the security gaps in remote work environments, and target organizations involved with pandemic research.” In addition, as we have reported before, attackers are using COVID-19 “as a phishing bait” as they understand that workers are looking for more information about COVID to protect themselves and their families and thus are not as vigilant because they are distracted and scared.

The Secureworks Report confirms that there are new vulnerabilities and old tricks to address during the pandemic with a fully-remote workforce

Patching vulnerabilities has always been challenging, but these days, it is getting more and more complicated as manufacturers try to stay abreast of zero-day vulnerabilities and issue patches as quickly as they can.

Microsoft is well-known for its Patch Tuesday, which is a monthly roll-out of the patches for vulnerabilities it has become aware of in the past month. This past Tuesday, October 13, 2020, was Patch Tuesday for the month of October. It was not the largest release that Microsoft has had on Patch Tuesday this year, with a mere 87 patches. That is down from more than 100 patches released every month between March and September of 2020. In September, Patch Tuesday produced 129 patches.

When IT professionals receive 87 patches from one manufacturer in a month, it puts in perspective just how complicated and hard it is to keep up with all of the patches received from every software vendor and manufacturing companies are using in day to day operations. It could be a full-time job.

The failure to patch a vulnerability in a timely manner has been the cause of well-known security incidents and data breaches, which magnified the importance of timely patching. However, the number of patches continues to grow exponentially, making it difficult for IT professionals to keep up with the alerts. It is hard to imagine how they don’t become a little numb to the issuance of another patch.

When issuing the patches on Patch Tuesday, Microsoft categorizes the patches into “critical,” “important” and “moderate” in severity so that IT professionals can prioritize the patches when applying them to systems. They also provide helpful information about whether the vulnerabilities are known to be actively exploited by criminals at the time of the release. This month, 11 of the 87 patches were categorized as critical, 75 were categorized as important, and one was classified as moderate. Six of the vulnerabilities were publicly known at the time of the release, so were potentially available to criminals before the release.

According to reports by security experts, the recently released patches IT professionals may wish to concentrate on first this month are the ones that address vulnerabilities in remote code execution or RCEs, which allow attackers access to a system without user action—like clicking on a phishing email. Once in the system, the attacker can obtain privileges, start a ransomware attack or steal data.

Although patching gets more and more complicated, it is important for IT systems to continue to prioritize them and stay on top of security alerts from vendors regarding vulnerabilities. It is easy to become numb to the number and frequency of the issuance of patches, but it is critical to minimizing risk.