Medical Web Experts Security Bulletin: February 2022

Welcome back to the Medical Web Experts Security Bulletin. Below are some recent developments that may impact your organization, as well as our recommendations for keeping your systems secure.

Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

The Cybersecurity & Infrastructure Security Agency (CISA) released an advisory this month to federal government officials, alerting them to be prepared for a wave of cyberattacks by Russian-backed hacker groups. CISA describes a series of popular exploited vulnerabilities that can be used to gain access to government or corporate networks. We recommend that you review the advisory and ensure that all of your software is up-to-date.

Another iPhone Zero-Day Vulnerability Is Exploited to Install Spyware

A cybersecurity company from Israel used a zero-day vulnerability (a vulnerability not reported to the manufacturer and with no patch) in iPhones to sell spyware capabilities to their clients. Like the NSO group that gave birth to Pegasus spyware, another company in Israel is now trying to do the same, even after all of the bad press the NSO got for selling these products to dubious regimes around the world.

Zero-day vulnerabilities are difficult to mitigate, as there is no known patch for them. However, trying to apply security measures by layers, for example, by encrypting communications securely when using mobile devices, can help to avoid a complete compromise on the device.

US Government Creates a Cybersecurity Review Board to Learn from Attacks

The Biden administration has formed a Cyber Safety Review Board within the Department of Homeland Security tasked with examining and learning from previous cybersecurity failures. The board will function under the NSA and will focus on the latest Log4J vulnerability that has affected many web services and software in the past months. This is a great exercise for gaining and applying previous knowledge to future cybersecurity incidents that may arise.

US Government Releases Memo on “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”

The Executive Office of the President released a memo to prepare all branches of the government to adopt zero trust cybersecurity principles. To understand what this means, a key tenet of zero trust architecture is that no network is implicitly considered trusted. Several commercial services are trying to offer approaches to zero-trust to private companies also, like BeyondCorp from google.

The memo also underlines the importance of encrypting communications both outside and inside the organization, addressing some of today’s challenges such as secure DNS or encrypting email, a service that was created in the 70’s and is still difficult to protect. CISA will work on evaluating new standards for the aforementioned services.