FEDORA-2023-6139d4e088
Packages in this update:
curl-8.0.1-3.fc38
Update description:
fix fopen race condition (CVE-2023-32001)
curl-8.0.1-3.fc38
fix fopen race condition (CVE-2023-32001)
The Atlantic Council released a detailed commentary on the White House’s new “Implementation Plan for the 2023 US National Cybersecurity Strategy.” Lots of interesting bits.
So far, at least three trends emerge:
First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority.
Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals.
Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.
The FBI warns that tech support scammers are increasingly telling their victims to send actual cash, concealed in newspaper or a magazine, rather than wiring funds.
But why?
Read more in my article on the Tripwire State of Security blog.
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In the current geopolitical climate, the energy sector, which powers our modern society – from homes and businesses to critical infrastructure and national defense systems, finds itself under the growing threat of cyberattacks.
With the energy sector’s growing dependence on digital technologies and interconnectivity, the attack surface for cybercriminals has expanded. This situation is further complicated by incidents such as the SolarWinds and Colonial Pipeline attacks years ago, which compromised numerous value chains, along with recent escalations in cyber threats. These circumstances highlight the urgent need for a robust and proactive cybersecurity strategy in the energy sector.
According to McKinsey, the energy sector is particularly vulnerable to cyber threats due to several characteristics that amplify the risk and impact of attacks against utilities:
The threat landscape has expanded, with nation-state actors, sophisticated players, cybercriminals, and hacktivists targeting infrastructure providers. This diverse range of threat actors poses varying levels of sophistication and potential disruptions to electric power and gas operations.
The geographically distributed nature of organizations’ infrastructure further complicates cybersecurity efforts. Maintaining visibility across both information technology (IT) and operational technology (OT) systems becomes challenging, not only within utility-controlled sites but also in consumer-facing devices that may contain cyber vulnerabilities, thereby compromising revenue or the overall security of the grid.
The organizational complexity of the energy sector exposes vulnerabilities to cyberattacks. Utilities often rely on multiple business units responsible for different aspects of energy generation, transmission, and distribution. This diversity introduces separate IT and OT policy regimes, making it difficult to ensure the network’s overall security.
To illustrate the potential impact across the entire value chain, it’s worth noting that electric organizations, in particular, could face cyber threats capable of disrupting various stages, including generation, transmission, distribution, and network segments.
Generation stage: Potential disruptions in this stage could stem from service interruptions and ransomware attacks targeting power plants and clean-energy generators. The primary vulnerabilities lie in legacy generation systems and clean-energy infrastructure that were not originally designed with cybersecurity in mind.
Transmission stage: The large-scale disruption of power to consumers could occur through remote disconnection of services. This is possible due to physical security weaknesses that allow unauthorized access to grid control systems, leading to potential disruptions.
Distribution stage: Disruptions at substations could result in regional service loss and customer disruptions. The root cause of such disruptions can be traced back to distributed power systems and the limited security built into Supervisory Control and Data Acquisition (SCADA) systems.
Network stage: Cyber threats at this stage could lead to the theft of customer information, fraudulent activities, and service disruptions. These threats are driven by the extensive attack surface presented by Internet of Things (IoT) devices, including smart meters and electric vehicles.
To further strengthen cybersecurity practices in the energy sector, the following key recommendations should be considered:
Develop strategic threat intelligence: Establish dedicated teams to monitor and analyze threats, providing a proactive view of potential risks. Integrate intelligence reporting into strategic planning and exercise incident response plans regularly.
Integrate security across regions and organizations: Create a unified approach to cybersecurity by establishing common security standards across all regions and business units. Foster a culture of security awareness and streamline processes for information sharing and decision-making.
Design clear and safe network architectures: Implement clear network segmentation and micro-segmentation strategies to limit the spread of cyberattacks within the network. Define security zones and establish secure demilitarized zones (DMZs) between IT and OT networks.
Promote industry collaboration: Engage in partnerships and industry-wide collaborations to develop common standards and best practices for cybersecurity. Participate in regional corporations to share knowledge and discuss security concerns specific to shared power grids. Advocate for security by design in IT and OT technologies, especially in smart-grid devices that may lie outside the utilities’ direct control. Additionally, organizing future-facing industry-wide exercises can help predict and preemptively address emerging threats to broader grid security.
Strengthen employee training and awareness: Build a culture of cybersecurity awareness within energy companies by conducting regular training sessions for employees. Educate them on identifying and responding to potential threats, emphasizing the importance of following established security protocols and reporting any suspicious activities.
Implement robust email security measures: Recognizing that phishing attacks often serve as entry points for cybercriminals, energy companies should prioritize comprehensive email security measures. These measures can include advanced spam filters, email authentication protocols (such as DMARC, SPF, and DKIM), and user awareness campaigns to identify and avoid phishing attempts.
Ensure secure remote access solutions: With remote work becoming increasingly prevalent, energy companies must ensure the security of remote access solutions. This involves implementing strong authentication methods, such as multi-factor authentication (MFA), virtual private networks (VPNs) with robust encryption, and strict access controls to minimize the risk of unauthorized access.
Regular software updates and patch management: Keeping all software systems and applications up-to-date is crucial in protecting against known vulnerabilities that cybercriminals often exploit. Energy companies should establish robust patch management processes to ensure timely updates and apply security patches promptly.
Backup and recovery planning: Developing comprehensive backup and recovery plans is essential for mitigating the impact of cyberattacks. Regularly backing up critical data and systems and maintaining off-site or offline backups can help organizations quickly recover in the event of a breach or system compromise. Testing the effectiveness of backup and recovery plans through regular drills and simulations is also recommended.
Given the increasing integration of IT and OT environments, it’s important to highlight that 94% of IT security incidents have also impacted the OT environment. This underscores the ongoing and comprehensive task of securing energy infrastructure from cyber threats.
In this evolving landscape, effective cybersecurity is not a standalone effort but hinges on several key elements:
Cross-regional and cross-departmental integration
Secure network architectures and demilitarized zones
Recognition of the sector’s unique vulnerabilities
Implementation of layered defense strategies to significantly mitigate risks
Strategic threat intelligence that enables proactive responses to threats
Prioritization of staff training, robust email security, and secure remote access solutions
Regular software updates and industry-wide collaboration
By adhering to these recommendations and fostering a proactive cybersecurity mindset, we can safeguard our critical infrastructure and ensure a resilient energy future.
UK’s critical infrastructure sector concerned over expanding attack surface
It was discovered that ECDSA Util did not properly verify certain
signature values.
An attacker could possibly use this issue to bypass signature
verification.
Adobe InDesign versions 16.3 (and earlier), and 16.3.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious BMP file.
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.