State Government Cyber Updates
K-12 SCHOOL PHYSICAL SECURITY GUIDE
The Cybersecurity and Infrastructure Security Agency (CISA) released the K-12 School Security Guide Companion Product for School Business Officials, a new resource to help school business officials support physical security planning and implementation initiatives in K-12 schools and school districts.
School business officials can play multiple roles to build and maintain holistic physical security systems in schools. They are key actors in school safety resource allocation efforts and fundamental in the planning of financial, operational and technical upgrades that may take place in K-12 schools or school districts. School business officials can also determine long-term maintenance and funding requirements as well as identify associated dependencies that will occur over a lifetime of school safety investments.
This new companion product uses guidance and best practices outlined in CISA’s existing K-12 School Security Guide to introduce key school physical security concepts and help school business officials make more informed and strategic decisions around the appropriateness and prioritization of physical security investments and improvements. It includes specific information on how school business officials can participate in the school security planning process, address core elements of a school’s security system and consider detection, delay and response strategies at specific layers of a school campus. The companion product also explains how school business officials can use resources such as the School Security Assessment Tool and SchoolSafety.gov Grants Finder Tool to assess vulnerabilities across a K-12 campus and identify funding opportunities to support physical security planning efforts.
The new product is a companion to CISA’s broader K-12 School Security Guide Product Suite. Resources in the suite are designed to support school communities in strengthening their protection and mitigation capabilities against the range of targeted violence and crime-related threats they might face.
STOP RANSOMWARE: RANSOM HUB RANSOMEWARE
Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published joint Cybersecurity Advisory (CSA) #StopRansomware: RansomHub Ransomware, formerly known as Cyclops and Knight, that has established itself as an efficient and successful model.
This advisory provides known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with RansomHub identified through FBI investigations and third-party reporting as recently as August 2024.
A ransomware-as-a-service, RansomHub has encrypted systems and exfiltrated data from at least 210 victims representing all critical infrastructure sectors using a double-extortion model. Phishing emails, exploitation of known vulnerabilities, and password spraying are typical methods used by RansomHub affiliates to compromise internet facing system and user endpoints; password spraying targets accounts compromised through data breaches.
Recommended mitigations and actions to protect against RansomHub include installing updates for operating systems, software, and firmware as soon as they are released, requiring phishing-resistant multifactor authentication (MFA) for as many services as possible, and training users to recognize and report phishing attempts.
Organizations are encouraged to review the advisory, IOCs, TTPs, and implement recommended mitigations to protect against ransomware threat actors. Organizations are also encouraged to visit stopransomware.gov, a whole-of-government approach with one central location for no-cost U.S. ransomware resources and alerts, to access an updated Joint #StopRansomware Guide.
ADVISORY RELEASED ON IRAN-BASED CYBER ATTACKS
the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crime Center published joint Cybersecurity Advisory (CSA) “Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations” that warns of Iran-based cyber actors targeting and exploiting U.S. and foreign organizations across several sectors in the U.S. While sharing similarities to the 2020 CSA on Iran activity, this new CSA contains information from FBI investigation and analysis on Iranian cyber actors as recently as August 2024.
Organizations are encouraged to review the advisory, indicators of compromises, tactics, techniques, and procedures, and implement recommended mitigations to protect against Iranian-based cyber actors.
Organizations are also encouraged to visit stopransomware.gov, a whole-of-government approach with one central location for no-cost U.S. ransomware resources and alerts, to access an updated Joint #StopRansomware Guide.
BEST PRACTICES -EVENT LOGGING & THREAT DETECTION
the Cybersecurity and Infrastructure Security Agency, in collaboration with Australian Cyber Security Agency and other U.S. and international partners, published Best Practices for Event Logging and Threat Detection, a guide to help organizations define a baseline for logging to improve an organization’s resilience and mitigate malicious cyber threats.
The guidance is of moderate technical complexity for senior information technology decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure providers within medium to large organizations. Written for those with a basic understanding of event logging, the best practices and recommendations cover cloud services, enterprise networks, enterprise mobility, and OT networks.
The key factors organizations should consider when pursuing logging best practices are:
(1) Enterprise approved logging policy;
(2) Centralized log access and correlation;
(3) Secure storage and log integrity; and
(4) Detection strategy for relevant threats.
Organizations are encouraged to review the best practices in this guide and implement recommended actions which can help detect malicious activity, behavioral anomalies and compromised networks, devices, or accounts.
ACTIVE INDUSTRY THREATS
Ivanti Vulnerabilities (01/19/24) - CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to active vulnerabilities in the following Ivanti products: Ivanti Connect Secure and Ivanti Policy Secure. ED 24-01 directs all Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure to: Implement the mitigations as detailed in the ED; Report indications of compromise to CISA; Remove compromised products from agency networks and follow the ED’s comprehensive instructions for restoring and bringing the products back into service; Apply the updates to the products within 48 hours of Ivanti releasing the updates; Provide CISA with a report that includes: a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, and details on actions taken and results. Although this directive is only for FCEB agencies, CISA strongly encourages all organizations to address the vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. For additional details, see CISA’s Alert, Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways, which CISA will update with further mitigations and patches as these become available.