August 24, 2017
White House Advisors Warn of Critical Infrastructure Vulnerabilities – United States
A group of advisors to the White House have warned President Donald Trump and his administration of the risk of a cyber attack against critical infrastructure in the United States that could be comparable to the events of 11 September 2001. The warning came from the National Infrastructure Advisory Council (NIAC), a group commissioned by the National Security Council (NSC) to review more the federal government’s capability to secure infrastructure against targeted cyber attacks. In a report published by the NIAC, it called for “direction and leadership to dramatically reduce cyber risks,” and warned a failure to take action would leave could result in catastrophic outcomes. “The challenges the NIAC identified are well-known and reflected in study after study,” the NIAC wrote. “There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions.” While the warning from the advisory group was deadly serious, the NIAC presented several recommendations that could help prevent such a disaster from occurring. On the top of the to-do list provided by the council was establishing separate and secure networks for critical infrastructure, including building “dark fiber” networks for traffic from critical control systems, as well as backup communications protocols for emergencies. Such a change would place a gap between the open, public internet and the private communications infrastructure built to allow devices vital to the function of critical infrastructure to communicate.
Cybersecurity is No Longer an Option for Supply Chains – United States
The abundance of mobile and connected devices in the supply chain has created an opening for hackers to target operations, Supply Chain Brain reports. As a result, industry experts are debating the most practical methods to alleviate cyber risk. American Shipper reports a cultural disconnect exists in addressing cybersecurity. Companies that consider cybersecurity measures an investment in safety, rather than an expense, have a competitive advantage. Rigorous policies to maintain system updates and preventive measures may build resilience. But cybersecurity also depends on human resources, as shown by the recent Nyetya attack. The BBC reports carriers' ever-changing crews may yield to a poor understanding of cyber risks brought by personal devices, creating openings for hackers. Staff training is therefore essential to secure operations. Neither confusion, a sense of being overwhelmed, or cost can justify a lack of cybersecurity in our current connected environment. Recognizing that cybersecurity is a necessary investment is a non-negotiable reality. For companies hesitant to spend the money to enlist expert support, the realization that insufficient protection could ultimately cost even more may serve as motivation. During the Wannacry attack, for example, French carmaker Renault lost four days of production due to the event. Four days is a long time within a supply chain — can the cost of protection possibly have equaled the time lost and the business disrupted? Now, with Nyetya fresh in mind, freight industry stakeholders are beginning to act as well. The Baltic and International Maritime Council (BIMCO) released a new version of its Guidelines for Cyber Security Onboard Ships manual. Clearly motivated by the damage done to Maersk and others, the guide seeks to highlight the importance of insurance and the effective segregation of cyber networks in order to assist in repelling full system corruption.
Ropemaker Allows Attackers to Change the Content of an Email After it is Delivered – Global
A new email exploit, dubbed Ropemaker, allows a malicious actor to edit the content in an email—after it’s been delivered to the recipient and made it through the necessary filters. For instance, an attacker could swap a benign URL with a malicious one in an email already delivered to an inbox, or edit any text in the body of an email whenever they want—all without direct access to that inbox. First uncovered by Mimecast’s research team, a successful exploit could even undermine those that use SMIME or PGP for signing. “The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” explained Matthew Gardiner, a spokesperson at Mimecast, in a blog. “While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.” He added, “Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.” Brian Robison, senior director of security technology at Cylance, said that there are aspects of the threat that are not necessarily new but should nonetheless be on the radar for any organization. "This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended,” he explained in via email. “Modern email applications render HTML as if it were a web page using CSS to make the email ‘look’ nice. This is currently standard practice within every legitimate marketing organization in the world.”
FOR MORE INFORMATION:
To sign up for the complete daily G4S Corporate Risk Services Intelligence Bulletin, as well as regular intelligence and risk updates and news, click here to subscribe!