Blog

Introduction

At Consortium Networks, we strive to keep you up to date on anything that might impact your organization in the cybersecurity world. Whether it is regulation, legislation, policy shakeups, cyber trends, or events, we are here to make sure you know what is going on across the space. 

The monthly newsletter will include sections on state and federal legislation and policy conversations, trends across the cybersecurity space including in threat actors, threat types, targets, and more, events held and/or attended by us or our partners and other rotating segments as appropriate throughout the year. 

This newsletter is one way we will keep you informed in an easy to read, digestible monthly format. As your Cybersecurity Concierge, we hope the newsletter will prompt conversation between us so that we can better serve you. 

Sincerely, 

Consortium Networks

Policy

Though no policy was made or moved into the final stages of passing in August, Congress acted on 3 cyber-related bills, the FTC and CISA presented a potential rule and guidance to the public, and a former important official made noise about splintering CISA from DHS as its own agency. 

In Congress, H.R.8730 was referred to the Committees on Agriculture, Financial Services, and Judiciary after being introduced on August 19. This bill, the “Digital Commodities Consumer Protection Act of 2022,” would require digital commodity platforms to establish and maintain cybersecurity risk analysis programs. The “Small Business Cybersecurity Act” (S. 4701) was introduced and referred to committee on August 2 and aims to provide cybersecurity support to small businesses through the Small Business Association. S.4592 (“Quantum Computing Cybersecurity Preparedness Act”), which was introduced and referred to committee on August 3, would encourage Federal information technology systems to migrate to quantum-resistant cryptography. 

On the same theme, CISA released an insights paper titled “Preparing Critical Infrastructure for Post-Quantum Cryptography.” The paper details CISA’s plan to help National Critical Function organizations adapt in the changing encryption environment. 

Related to CISA, former head Chris Krebs sparked a conversation around the department’s role and responsibilities when he said during his keynote speech at Black Hat in early August that the agency should break away from the Department of Homeland Security. Experts around the country have widely varying opinions on his argument.

The last item of note at the federal level this month is the FTC’s advance notice of proposed rulemaking on a trade regulation rule on commercial surveillance and data security. The Commission sought public comment on rules or regulatory options addressing the ways companies collect, use, and retain consumer data and/or how they transfer, share, or sell data in unfair or deceptive ways. The FTC will hold a virtual public forum on this item on September 8.

At the state level, New York and California both brought forth rule/legislation changes important to take note of. The New York State Department of Financial Services sought public comment on its proposed changes to Part 500 that, if accepted, would shift the Department’s approach to accountability in cybersecurity within an organization under its jurisdiction and require annual processes to reinforce cybersecurity practices within those organizations. 

California announced proposed changes to the California Consumer Privacy Act (CCPA) intended to bring it into compliance with the California Privacy Rights Act (CPRA). The changes fall into 5 categories: dark patterns, selling & sharing of data, consumer rights requests, and privacy policy requirements. In late August, the California Privacy Protection Agency (CPPA) held a forum for public comment on the proposed changes where most grievances were related to small and/or minority owned businesses ability to bring themselves into compliance with such a large piece of legislation that, in their words, isn’t designed for them. If accepted, the changes would go into effect on January 1, 2023. 

Internationally, Lloyd’s Insurance announced plans to exclude “catastrophic nation-backed cyberattacks” from coverage. With the ongoing war in Ukraine that has already led to unintended spread of wipers to 24 other countries, questions of how this exclusion will be enforced are already popping up. 

Trendline:

The threat landscape of cybersecurity is always changing and it would be unwise to assume tomorrow’s threats will be the same as the ones we face today. This is becoming increasingly clear as many hackers are turning away from ransomware attacks as defenses against them continue to strengthen and as cryptocurrencies are becoming more volatile and less valuable in favor of data exfiltration attacks. In an interview with cybercriminal Makhail Matveev, even he agrees that “ransomware will soon die.” Ransomware payments are not being paid as frequently and, with the recent report of a hacking group leaking sensitive information following a ransom payment, this is likely to continue. In 10 high-profile cyberattacks in the U.S. and Europe this month, 4 were data exfiltration attacks without a ransomware component. This means that while companies must continue to protect themselves against ransomware through tested backup and recovery strategies, continuous patching, and security awareness training, they must also invest in strong threat detection systems, encryption, and limiting the spread of sensitive information over online communication channels. 

As for sectors being targeted, there has been an uptick in the frequency of attacks for companies in the travel industry (including hotels) and public utilities. The White House is setting its sights on the chemicals industry for its next 100-day sprint to gain insight on the nation’s cybersecurity posture across critical infrastructures (previous sprints included electric utilities, gas pipelines, and water treatment plants).

Another trend to watch for is Iran’s increased activity following its development of a data extraction tool. Though Google discovered its attempts to steal emails from Gmail, Yahoo, and Outlook, Iran has had success recently stealing data from Israeli shipping companies and other key industries. 

Events:

Our Services

Your Cyber Concierge: Our team is ready to help you find solutions for all of your cybersecurity needs. From Endpoint Detection and Response to Multifactor Authentication to Threat Hunting, we will work with you to find the best solution for your organization and your specific budget, needs, and goals. 

Cybersecurity Assessments: Trust our team to quickly and consistently measure your controls against the NIST Cybersecurity Framework, including coverage against each specific domain and sub-domain, maturity of implementation, and provide actionable, prioritized recommendations. Our assessment will satisfy common compliance and regulatory requirements related to regular cybersecurity risk assessments.

Incident Response Planning, Playbook Development, and Tabletop Exercises: To be effective, incident response planning must be relevant to the core functions of your organization. By developing documents to guide actions in a time of crisis, and testing those approaches regularly, your organization will be maximally prepared to minimize the operational impact of a cyber event. Contact Consortium Networks for more information.

Cybersecurity Policy Development, Review, and Refresh: The threat landscape is constantly evolving. So, too, are regulatory and compliance requirements, as well as expectations from clients and third parties. Cybersecurity policies need to anticipate future threats and be kept up to date with accepted best practices while at the same time balancing ease of understanding and implementation. Let us take care of this process for you.

Request for Proposals (RFP) and Procurement Advisory: The requirements set forth in an RFP will determine not only the breadth and depth of potential responses but will also shape all future interactions on the topic with the responding parties such as contract negotiation, payment terms, deliverables, and acceptance criteria. The RFP sets expectations for both parties and outlines avenues available to hold each accountable. Avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.